The Solar wind Supply chain attack is believed to be one of the biggest global cyberattacks that targeted the US government, its agencies, and many private organizations. SolarWinds sells software that lets organizations monitor their computer networks. The attack involved the insertion of a malicious code into an updated version of SolarWinds’ Orion product. Many big known organizations like FireEye, Microsoft, Cisco, U.S. Department of the Treasury, U.S. Department of State, U.S. Department of Homeland Security (DHS), U.S. Department of Energy (DOE), U.S. National Nuclear Security Administration (NNSA), etc. were hit by this massive attack.
The attack was first revealed by SolarWinds’ client FireEye, which was breached by a backdoor that contained the legitimate SolarWinds.Orion.Core.BusinessLayer.dll DLL file. This DLL backdoor, also known as Sunburst, is an automatic update for Orion and was distributed to approximately 18,000 customers. The threat actors, believed to be a state-sponsored advanced persistent attack (APT) group, used continuous and sophisticated hacking techniques for Multi-factor Authentication (MFA) hacking, and gained access to the system. For technical analysis, Microsoft published the Sunburst backdoor technical paper.So, it’s never guaranteed that nothing can be hacked and attacked.
Here are some of the important defense recommendations and key lessons to take away from SolarWinds ‘Sunburst’ attack:
- The main concern of this attack is the MFA bypass. Relying 100% on MFA Solutions is not the best defense tool. Because implementers must be aware that MFA can be defeated and should consider other defense-in-depth plans. Don’t let hackers gain admin control of your system.
- To mitigate the backdoor, it’s good to upgrade to the latest version until the patched one is released.
- Bad actors frequently change their “last mile” IP addresses to a unique endpoint every time. Hence, using Virtual Private Servers, hackers rotate within multiple servers to obscure their activity and leave no trace of detection. Therefore, it is very important to carefully examine the data logs, monitor, and inspect any sign of intrusions using network or vulnerability scanning/mapping tools.
- Hackers add authentication tokens to get access to on-premise and hosted resources. Hence, these tokens and credentials help to escalate privileges on Microsoft Active Directory Domain accounts compromising the Security Assertion Markup Language (SAML) signing certificate. Therefore, validating a security token is a must while accessing any protected resources on a resource server.
- An operational security plan should be implemented and distributed among a normal business to be ready for any anomalous network behavior.
- There still might be an issue with third parties even after the hotfix of the DLL backdoor. But due to a lack of knowledge of monitoring abilities and limited infrastructure, they are not able to track all the vulnerabilities in order to present/inform large enterprises. Therefore, to minimize the risk of outages, large enterprises should monitor all their partners and supplies and enforce them to adopt cybersecurity practices.
- A company should make sure everyone is aware and is on high alert to prevent these similar attacks in the future. Guidance should be created for all staff to ensure all members take appropriate precautions.
For further updates about SolarWinds ‘Sunburst’ attack visit, some of the sites listed:
Allari implements customized service plans for IT Operations & Cyber-security which allow you to complete a higher volume of planned work, gain the capacity to innovate and help your business to win.
Subscribe to the best newsletter there is.
You won't regret it!