SolarWinds' Network Security Vulnerabilities: What to Know
By: Alan Seal on January 11, 2021
In early December, a massive cyberattack that utilized SolarWind’s Orion, an IT infrastructure monitoring application, was discovered to have infiltrated computer networks across the world, from U.S. government agencies to major U.S. companies like Microsoft. Through a software update, this trojan horse installed itself on computers and networks providing the ability to access, transfer, and execute files as well as reboot, profile, and disable system services. In short, this backdoor allowed its creators, suspected to be Russians, unfettered access to sensitive data and vital network systems.
While it’s suspected that the effort began in the spring, its impact will last well into 2021 as SolarWind’s releases updates and patches to hopefully eliminate vulnerabilities. However, as of December 28, the Center for Internet Security had identified at least one additional potential vulnerability related to API authentication. For many, this brings data security to the forefront of business security needs and has IT professionals in just about every vertical analyzing their network security vulnerabilities.
A supply chain attack or third-party attack requires the use of an outside provider whose software or service has access to a company’s systems and data. The hackers gain access to the third-party and, essentially, piggyback their way in through a legitimate service.
In the last 10 years, these kinds of attacks have grown in frequency as more and more companies outsource their data solutions and use outside vendors to supply vital software and management tools. In fact, research suggests that though there has been a decrease in phishing attacks, supply chain attacks have and will continue to grow.
How Did the Supply Chain Attack on SolarWinds Orion Happen?
Those responsible for the attack utilized malware, placed in an update, to spread the trojan horse across whole systems and industries. Each time users of SolarWind’s Orion tool installed an update, the malware had the opportunity to spread.
The attack itself was fairly organized in that it utilized domains, since shut down, that had been set up for quite some time so communication between the hacker’s servers and those impacted evaded suspicion. It looked like normal traffic. In part, this is what lead those investigating to believe this was a coordinated and supported effort to gain access to emails, data, and systems that contain sensitive information.
The malware utilized existing plug-ins and utilities to mask itself while blocking anti-virus, malware detection, and security through obfuscated blocklists. Then, with the ability to forge security tokens, the hackers were able to bypass even multi-factor authentication tools and access files and accounts they wanted. FireEye, who originally identified the issue, notes that once this type of access is established, the hackers prefer the authenticated actions which makes the malware harder to detect.
The Potential Impact of the SolarWinds Orion Cyber Attack
While SolarWind has removed those downloads from its site and is offering patches, updates, and additional resources to all of those impacted, it may take some time before we really know the full impact of this breach. Further, because the attack was so widespread, it may even take a significant amount of time to determine how many were truly impacted by the breach as well as the severity.
Initial numbers suggest that as many as 18,000 organizations were impacted, but of those 18,000 it is unknown whether hackers took advantage of the access in all of those systems. Again, because the hackers skills are so sophisticated, and SolarWind’s platform so complicated, for many smaller organizations without access to cybersecurity experts, finding and removing the malware and any toolkits installed will be costly. Experts suggest that, for many, the only solution will be to rebuild the entire system, starting from scratch.
Of those impacted, of course the greatest concern, especially for the U.S., is the security level of information accessed. While no clear information is available regarding the level of classified information hackers were able to access, security experts and government officials have suggested that the attack is one of the greatest national security threats we have seen in terms of cybersecurity.
As for other organizations, it will likely take them time to determine what level of access hackers were able to achieve, what kind of data/information was available, and how that will impact their long-term business strategies and successes. Further, the investment to remove and secure networks will take significant time, money, and resources.
Recommended Responses for Network Security Vulnerabilities
It’s no secret that these attacks, which thus far have been largely successful, will not stop. In fact, like most cyberattacks, they will likely grow more sophisticated with time. While cybersecurity experts are learning about the evasive techniques used in this attack, hackers are also watching and learning how IT professionals respond.
For small to medium organizations, supply chain attacks are likely not a part of a threat prevention plan. For that reason, it becomes crucial that any business is communicating with anyone who has access to their network, including vendors or third party providers of enterprise applications, to ensure that security measures are in place. This means that during the RFP process, security questions should involve questions about development and considerations to minimize risks.
For businesses utilizing data centers and colocation, questions should revolve around system architecture and application access. In other words, can third party applications be isolated to limit their access to the rest of the network? Short of physical infrastructure allowing for that level of security, what kind of security protocols does your provider have in place to secure your network and data?
Finally, carefully monitoring your network for security issues, traffic, and access with a network monitoring tool like in\site is invaluable. The more eyes on a system, especially those that are familiar with what normal traffic looks like, the better.
According to Reuters, access to SolarWind’s computers was being offered for sale on the dark web. It’s easy, in hindsight, to look back and consider that, clearly, there should have been an effort made to protect their systems, but for a small to medium sized organization, protecting digital assets is a full time job and costly. However, if passwords are available, and password security protocols aren’t strict, gaining access to your systems may be easier than you think.
Login Location Monitoring
While the executors of the SolarWind’s hack were eventually able to forge authentication and bypass two-factor authentication, it’s still a valuable tool. Not only that, but monitoring your network for traffic, including login locations, is an excellent strategy. If you’re using a colocation service, you should be asking for robust monitoring tools that provide you with 24/7/365 access to your network’s security information.
Lock Down Your Network
Take a look at your network and determine what third party tools you’re using and determine what kind of access they really need to your network. This breach was so dangerous because the platform had unrestricted access. One of the first things you can do is limit what access third parties have.
Next, be sure that access to your network is available through limited devices. The temptation often exists to provide access to everyone who asks, but to ensure security, access to really be limited to those who need it.
Enhance Your Vulnerability and Threat Management with vXchnge
Whenever a big data breach happens, there’s an immediate rush to re-evaluate network vulnerabilities and threat management. Imagine if you didn’t have to worry about that. Imagine if you had dedicated IT professionals who not only ensure compliance with any industry standards but also provide tools you need to protect your data.
vXchnge’s risk mitigation services ensure just that. Not only do you get the physical security your servers need, but our data centers are regularly audited by external auditors providing you with peace of mind regarding the security of your network and data.
Further, with in\site, our network monitoring tool, and its convenient mobile interface, you get access to your network and its status wherever you are and whenever you need it. This allows you to monitor and manage especially when vulnerabilities and threats have been identified.
There’s no doubt that data security needs are in the spotlight any time there’s a breach or attack. One of the benefits of using a data center is we worry about that for you. For more information, check out our Data Center Security guide and contact us today to discuss how we can help you protect your digital assets.
About Alan Seal
Alan Seal is the VP of Engineering at vXchnge. Alan is responsible for managing teams in IT support and infrastructure, app development, QA, and ERP business systems.