More than 18,000 organizations, companies, and authorities are affected by the SolarWinds hack: As it became known in December 2020, cybercriminals succeeded in smuggling the Sunburst malware onto the update server for the Orion IT management software from SolarWinds. In addition to the security company FireEye, numerous US authorities and military institutions, corporations, and authorities in this country are also affected. We summarize the situation and previous findings for you and present you with Sectigo's assessment of this incident.
Serious break in SolarWinds IT systems
How SolarWinds shortly after the official announcement of the attack told (PDF), the malware believed to have been introduced sunburst over Orion's software build system - the source code repository of the Orion platform have you can not discover the malicious software. Apparently, according to the findings so far, the malware was smuggled in between March and June 2020 and then downloaded many times via the in-house update server.
According to SolarWinds, most likely all customers who have downloaded, updated, or implemented Orion software within the said period are compromised. SolarWinds speaks of more than half of all 33,000 Orion customers, but it is not yet known how many customers actually downloaded the malware and from whom data was tapped.
Supply chain attack with sunburst
Extensive cyberattacks were carried out in 2020 with the compromised SolarWinds product Orion. Both private and government computer networks in the USA, but also in Europe, have been penetrated to a previously unknown extent. A program library was smuggled in via the update server with back doors, so that the malware Sunburst and Supernova got into the networks, as FireEye said in a report in mid-December.
This is a “supply chain attack”, ie a supply chain attack: the Trojan was distributed via updates or downloads for the Orion platform from SolarWinds and found access to numerous public and private organizations around the world. Version 2019.4 HF5 to 2020.2.19.0 is affected. How this was possible is still unclear, but there is a hint: As early as 2019, security researcher Vinoth Kumar SolarWinds drew attention to the weak password "solarwinds123" for the update server.
SolarWinds hack: full extent still unclear
So far there has only been speculation about the full extent of the SolarWinds hack. According to SolarWinds, at least 18,000 companies and organizations are affected - namely, as mentioned above, all those who downloaded or updated software during the critical period. The security company FireEye explains in the above-linked report that only selected and potentially valuable targets have actually been exploited. These are in concrete terms only gradually come to light. Previous findings:
SolarWinds hack: Hackers accessed Microsoft source code
"We discovered that an account was being used to view source code" - with this news Microsoft shocked private users and companies on the last day of last year. Apparently, those responsible for the SolarWinds hack got into Microsoft's source code. No source codes were indeed lost and no manipulation could be detected. But even a look at the source code of software can be seen as spying on trade secrets.
Knowing the source code also makes it easier to hack Microsoft products. Because if you look, you will find: weak points, for example, that can be exploited for attacks. Numerous organizations and companies rely on Microsoft products, including operators of critical infrastructures. Now it is up to Microsoft to reveal which codes were specifically attacked by which software - American security authorities are already putting pressure on this. But there is also good news from Microsoft: The in-house virus scanner Defender can now detect the malware.
Brian Krebs, IT security blogger, pointed out the domain avsvmcloud.com: The domain once used by attackers to communicate with compromised systems was taken over by Microsoft. This is not the first time that this has happened: in coordination with security authorities, the software company had already taken over malware domains in the past. As a senior director at Microsoft, Jeff Jones responded to Krebs' tweet by saying that everyone had to make a contribution to cybersecurity.
A short time later there was new information about the domain: Together with FireEye and the responsible registrar GoDaddy, the said domain was converted by Microsoft into a kill switch to be able to switch off the sunburst malware on the systems concerned.
In another blog post, Microsoft stated that it had come across the second piece of malware, which may have come from another group of hackers. Unlike the first malware that relied on a valid SolarWinds signature, this malware does not contain a signature, which suggests that it came from another independent group.
SolarWinds Hack: Other Affected
The SolarWinds hack left numerous victims with it: Dealers of the CrowdStrike office software are also said to be affected by the hack, but CrowdStrike itself was not, even though the attackers tried to access the company's emails. According to the NYT, the attackers gained access to more than 250 US federal agencies - including the State Department, the Pentagon, the Department of Justice, and NASA - and companies.
Sectigo customers can breathe a sigh of relief
Because almost anyone who relies on SolarWinds can be affected, CA Sectigo (formerly Comodo) reacted directly: In a blog post, the certification authority makes it clear that Sectigo customers and partners will remain unaffected by the cyber attack. Sectigo checked the internal infrastructure and found no indication that in-house systems, operations, or products were affected by the cyber attack.
Sectigo also takes the opportunity to explain how code signing can be related to such a supply chain attack: Apparently, the attacker added a malicious DLL to the SolarWinds build environment. This malicious DLL was then included in the signed updates from the SolarWinds Orion platform. The attacker inserted the malicious code into the built environment before it was signed so that there were no errors in the actual code signing. This is because such a signature code ensures that the signed file is bit by bit identical to the file that was signed. In this case, the malicious code was injected before the build, so the signed and distributed code eventually contained the malicious DLL.
The Federal Government was not affected by the SolarWinds hack
In response to a written question from the Bundestag member Canan Bayram (Greens) as to the extent to which state institutions can be affected, the answer said: "The federal government currently has no knowledge of whether state institutions or the authors of the compromised Solarwinds Orion software are affected." However, the question of whether companies with federal participation were affected by the SolarWinds hack remained unanswered.
Sometime later things looked different: according to the federal government, 15 German federal offices and ministries use software from SolarWinds. However, the government remains silent on whether or not the hacked Orion tool is being used. This time the member of the Bundestag Manuel Höferlin (FDP) made a request, the answer of the federal government is at heise.de.(PDF). Central IT service providers of the federal government are mentioned here: among others the Robert Koch Institute, the Federal Motor Transport Authority, or the Federal Office for Information Security (BSI). The government does not provide any information on the use of SolarWinds software by the Federal Intelligence Service (BND) and the Federal Office for the Protection of the Constitution (BfV). The reason: "This could mean a disadvantage for the effective performance of tasks of the BfV and the BND and thus for the interests of the Federal Republic of Germany".
In response to the question of whether sensitive data had been accessed, the federal government stated: "According to the current state of knowledge of the federal government, there has been no unauthorized access to federal administration systems via the sunburst program in the SolarWinds Orion software". What is noticeable about the answer from the federal government is that it deals with the sunburst malware, but not with the Supernova Trojan. A requested customer list of those customers who use SolarWinds products does not claim to be “complete”; it was created with "high resources and extensive coordination". 16 German ministries and federal offices can be found on SolarWinds' customer list.
Class action lawsuit against SolarWinds
It goes without saying that SolarWinds now also has to deal with legal problems: On January 4th, 2021, shareholders filed a class action against SolarWinds with the US District Court for the Western District of Texas. The complaint (PDF) states: "As a result of the defendants' wrongful acts and omissions and the rapid decline in the market value of the company's securities, the plaintiff and other members of the class have suffered significant losses and damage."
Specifically, the plaintiffs accuse the SolarWinds management of not having disclosed that the Orion platform had a vulnerability and that weak passwords such as "solarwinds123" were used to secure it. The management is also accused of "false and/or misleading" statements in official submissions. Facts relating to the business, operations, and prospects of SolarWinds have been misrepresented.
In fact, the behavior of some SolarWinds shareholders does not appear serious: Just a few days before the SolarWinds hack became known, namely on December 7, 2020, two main investors sold company shares totaling the US $ 280 million. The two shareholders held around 70% of the shares to date. Both deny possible inside knowledge, even though the attacks had been going on for several months at the time. It is also interesting that the outgoing CEO Kevin Thompson already sold shares in November - he sold SolarWinds shares Valued at over $ 15 million. These facts should be interesting in connection with the first lawsuit against SolarWinds. SolarWinds itself has not yet commented on this lawsuit. According to the CRN, however, the company said it was now focusing exclusively on "helping the industry and our customers understand and defuse this attack."
Investigations into the SolarWinds hack are ongoing
As it is, after attacks of this kind, there is little reluctance to make accusations: representatives of various US secret services and security agencies agree with Foreign Minister Pompeo and Justice Minister Barr and accuse Moscow. The government-affiliated group APT29 was responsible for the attack, the above-mentioned authorities are convinced of this. After Donald Trump remained silent for a while after the attack, however, he vetoed this: after all, it could have been China too.
Both ideas belong initially - until there is solid evidence - in the realm of speculation. Although there is still no concrete evidence, the first traces of the law enforcement authorities lead in a completely different direction: to the Czech-based software developer JetBrains. This is reported by the NYT, citing appropriate investigators. Unfortunately, there is no real clue on this trace either - the only connection currently is that SolarWinds is one of JetBrain's customers.
JetBrains itself confirms this in a blog entry: Yes, SolarWinds is one of JetBrain's customers. However, JetBrains CEO Maxim Shafirov denies involvement in the incidents: SolarWinds itself has not yet provided JetBrains with any information. It is possible that incorrect configurations by SolarWinds could have led to a compromise, but there are no known indications of this. In another updateShafirov explains, “As part of our commitment to transparency and to keep our customers informed of what is happening, we would like to inform you that we have been proactive in contacting and speaking to the US Department of Justice. We have offered them our full cooperation in this matter. Once again, to repeat it again, we are not aware of any weak point that could have led to this situation. "
It will take some time to find traces of more than wild speculation. It would be desirable and in the interests of affected customers to do real educational work and above all to take precautions. This includes using secure passwords and effectively protecting access. Perhaps this precaution alone could have meant that the SolarWinds hack could not have taken place in this form. Without a doubt, it can be called one of the most dangerous hacks in history.
It would also be desirable if there would finally be binding and systematic management of security gaps. The IT security law still lacks an obligation to report security gaps - a situation that is not sustainable, as the SolarWinds hack now impressively proves. This attack also proves that we depend on strong encryption without back doors - security cannot be weakened more than with back doors.
Find the best free antivirus to prevent a cyberattack
This case shows something else: The security awareness of managers and employees in the IT security industry still needs to be improved. System passwords for the SolarWinds software were just lying around on a server. Safety instructions were ignored, risks were downplayed. Awareness simply has to increase that our digitized world is vulnerable - and that everyone in the company can make a significant contribution to increasing or decreasing security.
Comments
Post a Comment