The SolarWinds hack is a big one. I did not want to jump into this too soon, because I wanted to let some more information come to light. Granted, in many cases, the true nature of hacks like this may never be gleaned. That said, here is what we think we know. Let’s take a look at what happened, how it happened, the impact, and how this whole mess could have been prevented.
Allegedly, likely, Russian linked hackers inserted malicious code into software updates for the SolarWinds network management product Orion and were able to conduct varying degrees of cyber espionage. Orion is an Information Technology (IT) infrastructure monitoring and management platform – essentially a collection of tools used to manage IT.
Speculated, as early as October of 2019 and known between March – June 2020, this malicious code was propagated to many of SolarWinds’ customers through Orion weaponizing updates - more on the details in the next section. Of the purported 33,000 Orion users, SolarWinds is claiming 18,000 customers installed the affected updates. These customers include several US Government entities such as the Pentagon, Department of Homeland Security, Department of Energy, as well as Fortune 500 companies such as Microsoft, Cisco, Intel, and many others.
According to the Reuters news outlet, Security researcher Vinoth Kumar told them that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123’. It is unlikely this was the source of the current hack, but credential theft via another means is a very likely culprit. Many companies, for instance, use code repositories such as GitHub for version control of software packages. If intentionally, insider threat, or unintentionally, negligence, left credentials in the source code, anyone with access to the repository would have access to the credentials.
Ultimately, the hackers injected malicious code in the form of a remote access trojan (RAT) present within standard windows installer patch files. Specifically, the SolarWinds.Orion.Core.BusinessLayer.dll component was the component containing the RAT. Once the update installs the malicious dynamic link library (DLL) is loaded by SolarWinds.BusinessLayer(Host.exe or Hostx64.exe). After a period of remaining dormant the malware attempts to resolve a subdomain of avsmcloud.com. The domain name system response returns a CNAME record that points to a command and control (C2) domain. Once the C2 link is made, remote hackers can access the machine with elevated privileges.
Once the foothold was established on the affected systems various malicious activities were conducted on the device including delivering TEARDROP and BEACON malware, Temporary File Replacement and Temporary Task Modification, and potentially most harmful – lateral movement using different credentials.
Let’s say that many of the entities that were breached by this hack were high speed and strictly followed the least privileged paradigm. They were using a stand-alone server that was appropriately segregated from other network resources. In this case, I would argue that the most impactful activity came from lateral movement using different credentials.
In my prior life as a penetration tester, once I had elevated access to a device, I could essentially harvest any other credential that accessed that device. That means I could turn a barely useful system-level administrator account on a boardroom presentation laptop that held no data into a nearly all-powerful domain admin account with unfettered, unilateral access to almost all the systems and data on the network. The horrifying part is that it was easy. Something as simple as a memory scrape would produce active tokens I could pass to other resources without even so much as cracking the password. Another option was to capture the hashes of the device and crack them offline. There were several methods to attack these accounts- specifically attack the authentication or passwords.
Taking a step back from the horror of hacking. Steps can be taken to mitigate and increase the difficulty for malicious entities.
Up to date system and security patches AND removing the password or at least protecting accounts with multifactor authentication (MFA) are the most impactful security considerations- period!
Unfortunately, in this case, even if the organizations’ systems were up to date, they were still subject to breach. A trusted entity was breached, and the organizations were subject to the ramifications of a lapse of diligence with one of their vendors. Instances like this are major drivers for Zero Trust architectures which essentially revolves around continually validating access via authentication and authorization controls.
Regardless of what happens outside the organizational sphere of influence every organization can control the things they can, like accounts. As case studies come out about the impact of the SolarWinds breach, my inclination is that companies with MFA-protected accounts will have weathered the storm much more effectively than those without.
Properly protecting accounts with MFA all but eliminates the ability of hackers to compromise the accounts and thereby eliminates the threat of lateral movement. Even if the hackers obtain a password for an account, that is only a piece of the puzzle. The password is useless without the accompanying factor(s). Like any technology though MFA must be implemented properly to be most effective. That is where the strength of the factors comes into play. Based on my experience, biometrics is the strongest factor of authentication, so the most robust MFA solutions contain this factor.
If organizations want to fully embrace the future and be leading-edge, removing the password entirely and adding technologies such as Full Duplex Authentication®(FDA) are the next evolutionary step in protecting against further instances of these breaches.
FDA is a patent-pending technology from Identité, that ensures the authenticating service authenticates to the client authenticator before the authenticator invokes its private key. This prevents hackers from impersonation in order to take over accounts. FDA can also be leveraged for transactional protection to provide passwordless MFA for sensitive account actions as well - for instance, registry or sensitive file changes.
With passwordless MFA using biometrics and FDA, the ability for hackers to move laterally would be essentially removed from the equation, and the actions taken on the local device severely hampered.
Whether it comes out the breach originated from a password-based attack, which it likely did, or a system-based attack, there is absolutely no question that protecting accounts with Full-Duplex MFA will exponentially increase the robustness of any organization’s security posture in mitigating the effects of breaches.
According to a joint statement from FBI, CISA, ODNI, and NSA