On December 8th, 2020 security practitioners around the world received news from our friends at FireEye of a breach in which they “were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” In an update posted on Dec. 13th Kevin Mandia, FireEye’s CEO, shared additional details which identified the source of the disclosed breach to a sophisticated supply chain attack from a widely adopted IT Management Suite, SolarWinds’ Orion Platform. In it he shared common elements which have been verified by other practitioners in their reverse engineering efforts:
• Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
• Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
• Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
• High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
The goal of this article is not to rehash details compiled to date. Instead, I feel it’s important to point out the wider ramifications of these tactics. We’ve learned that these groups do monetize their tactics techniques and procedures (TTPs) via dark web repositories and marketplaces. Defenders must adapt their processes to recognize these TTPs, implement controls to stop malicious activities and establish recovery playbooks.
Additionally, on Dec. 24th we heard from the team at CrowdStrike about their close encounter with the malicious actors. Michael Sentonas, CrowdStrike’s CTO states “CrowdStrike does not have any attribution and does not know of any connection to SUNBURST at this time.” They did, however, disclose that during Microsoft’s internal investigation to their supply chain breach, malicious activity was observed originating from a Microsoft reseller’s, which manages their Office 365 licenses, Azure Instance. During CrowsStrike’s internal investigation they realized that the native tools available from the Azure Infrastructure as a Service platform were inadequate when it comes to validating AD permissions and for auditing an incident which occurred months earlier.
Managed Service Providers have long been a target of malicious actors. We expect our MSPs to maintain their security posture at a high level. Unfortunately, this latest supply chain attack proves that even the most mature, well-staffed and disciplined organizations can fall victim to mature, well-staffed and disciplined malicious actors.
It is still too early to know the full depth and breadth of this supply chain attack. Malicious actors have determined that Dev team tools can be used to gain footholds in their target networks. I’ve already heard whispers of server passwords in publicly readable Github repositories, compromised Office 365 mailboxes and even speculation in a NY Times article, just yesterday, that Solarwinds may have also been a victim of a compromised supplier.
These tactics and outcomes are not new in our industry. Cloud Workload Protection products exist because modern cloud-based development and production infrastructure environments do not offer adequate, governance, visibility and control facilities. User and Entity Behavioral Analytics (UEBA) features in monitoring tools like SIEMs, AD Monitoring tools, and EDR/NDR/XDR platforms are much more efficient at spotting stealthy advisories than the average security analyst armed with threat intel and playbooks. Malicious actors are honing their ability to live within your networks masquerading as legitimate users for extended periods prior to executing their goals. Third party risk monitoring tools can be an early indicator of issues in the supply chain. They are also useful for monitoring your own organization.
Cadre advocates extending the Zero Trust Access model to internal applications and controls. Privileged Access Management tools must be deployed to thwart privilege escalation and lateral movement within your networks. Global Key Management and Data Management tools should be integrated to render exfiltrated data useless outside the confines of your infrastructure. Strong authentication schemes and MFA should be extended to internal controls with integration credentials stored in a network-based HSM. This fact bears restating: modern HSMs can integrate with many controls in your network, not just your web servers.
With all this said I would emphasize that your efforts to increase the maturity level of security operations in your organization must continue. There are frameworks freely available from multiple sources. My favorite is from the Center for Internet Security. Their CIS Controls framework was developed by the best and brightest practitioners in the industry and are presented in an easy-to-understand format.
For more advanced advice and guidance please be sure to reach out to Cadre. We excel at matching your pain points, and business challenges to the right solution. We also have multiple IR teams in our partner ecosystem to address concerns as to whether your organization may be affected by a supply chain attack or to accurately gauge your organization’s Cyber Security Maturity Level.