Lessons From SolarWinds Hack

Lessons from SolarWinds Hack and Ways Managed Security Services Provider Can Help

According to the U.S. national security agencies, a Russian intelligence agency has carried out a sophisticated malware campaign, impacting the local, state, federal departments, and private companies like Microsoft and FireEye. The widespread breach, which included an email system used by senior leadership at the Treasury Department, started earlier this year. Reports indicate that the initial backdoor seems to have been distributed via legitimate automatic update platforms since March 2020.

How Did The SolarWinds Breach Happen?

Hackers compromised the IT management software from SolarWinds, a Texas-based IT firm selling software products that enable businesses to track their computer network activities. In this attack, cybercriminals inserted malicious code into an update of SolarWinds’ software known as Orion.

So far, more than 18,000 SolarWinds customers have installed the tainted updated to their systems.

At the same time, SolarWinds have notified 33,000 customers of the recent hack.

ZDNet reports that the trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the SolarWinds customers’ networks.

As it currently stands, SolarWinds hack is still significant and ongoing.

It is not yet clear how many agencies are affected or what information hackers have stolen. The malware is potent in all aspectsand gives attackers a broad reach to the impacted systems.

 

SolarWinds Breach Threat Actors

Through attribution, the current information indicates the Russian-state backed APT29 group, aka Cozy Bear, carried out the SolarWinds compromise. APT29 has conducted a years-long cyber espionage campaign against western targets, including the famous incident on the Democratic National Committee (DNS).

 

SolarWinds Case – A Rise In Sophisticated Supply Chain Compromise

SolarWinds hack is an example of a global campaign where cybercriminals introduce a compromise into public and private organizations’ networks through the software supply chain. In this attack, hackers delivered the compromise through updates to a widely-used IT infrastructure management software known as the Orion network monitoring.

An analysis of the incident reveals that the hackers inserted malicious code into legitimate software updates, giving them remote access into a victim’s environment. At the same time, the attackers used light malware footprint to accomplish the mission while avoiding detection. In effect, the hackers’ objective involved prioritizing stealth by going to significant lengths to monitor and blend into regular network activity.

In most cases, a supply-chain compromise is compelling since thousands of companies and government agencies use software products like SolarWinds’ Orion. With the release of a tainted software update, then the company’s vast customers become potential hacking targets.

Responding To SolarWinds Breach

If you use SolarWinds in your organization, you can strengthen your posture through the following steps:

  1. Isolate devices running Orion until the SolarWinds release a patch for the malware
  2. Reset user credentials for accounts that have access to the machines running SolarWinds
  3. Upgrade to the latest version of Orion platform
  4. Analyze the data logs and network traffic to detect malicious activities
  5. Create awareness to ensure your employees are on high alert for future attacks. Ensure that user accounts with administrative rights follow best procedures, including using least privileges
  6. Run updated antivirus that detects compromised libraries and potentially anomalous process behaviors

Organizations should invest in continuous monitoring of network traffic to understand the information hosts are sharing. In effect, security teams can detect and leverage attacker weaknesses and dependencies to overcome cybersecurity challenges.

Partner With Cyber Security Agency To Prevent Frequent And Sophisticated Supply Chain Attacks

Cyber Security Agency works in close coordination with relevant partners and security agencies to detect and respond to complex threats. As a leading managed security services provider, the Cyber Security Agency offers reliable solutions to detect known and emerging cybersecurity threats.

Our team of experts keep our customer community safer by methodically discovering and exposing malicious campaigns from individual hackers and organized crime groups. Cyber Security Agency tracks significant cyber incidents and vulnerabilities impacting enterprise networks across industries and government agencies.

Cyber Security Agency also provides a third-party risk assessment. From the SolarWinds attack, it is evident that an attack on a vendor or supplier can undermine your organization’s security posture. In such cases, our experts help businesses adopt a comprehensive approach to security to prevent both external and internal security threats. For instance, we help your organization conduct due diligence on your core partners’ security posture to ensure they are not a risk.

Through Cyber Security Agency managed security services, you can achieve the following:

  • Keep your business vigilant and timely in installing the latest system updates
  • Implement and maintain intrusion detection and prevention systems (IDS/IPS) and firewalls to monitor network traffic and detect malicious activities
  • Secure all network-based assets
  • Implement tools and procedures that generate full visibility into the network to spot threats. We recommend security technologies that evolve with cyberattacks
  • Educate employees on how to detect and respond to suspicious events
  • Transferring security operations burden from your internal IT teams, allowing you to focus on what you do best

Getstarted with Cyber Security Agency Managed Security Services to gain security expertise and lessen the workload for your in-house security staff.