Solarwinds Hack: 5 lessons to improve your cyber career

CBS news youtube report on security advisor that said solarwinds was easy to hack
  • Solarwinds network monitoring software used by fortune 500 companies was discovered with malicious code impacting 18,000 global organizations.
  • Microsoft discovered the malicious code in its own environment 
In recent weeks a supply chain hack was discovered of the Solarwinds network monitoring software used by major private and government organizations. The hack was first discovered by Fireeye cybersecurity company which was investigating attackers that had infiltrated its defences to steal its intellectual property, which has since then published the stolen tools and how to detect and counteract their exploitation

Solarwinds has since issued a security advisory including security fixed of the malware into affected products. Further advisories from Cybersecurity and Infrastructure Agency (CISA) on mitigating the attack of government agencies including a confirmation from Microsoft on discovering the malicious code in its products.

So what can one learn from the "highly sophisticated" attack that is affecting an array of major government and private organizations around the globe.

1. Secrets handling
A security researcher found the credentials of an update server secured with a weak password "Solarwinds123" stored as plaintext since June 2018, according to theregister. 

Upon discovery the security researcher contacted Solarwinds to alert them to the issue in November 2019 "their update server was accessible with the password 'solarwinds123' which is leaking in the public Github repo. They fixed the issue and replied to me."

In addition, there are reports of actors selling access to the SolarWinds systems on the dark web and underground forums since 2017, according to reuters. There are further reports that a security adviser warned the Solarwinds that the company was "incredibly easy to hack"

The impact is that attackers have had unauthorized to access to Solarwinds software and email systems which they have used to implant malicious software into Solarwinds products affecting 18,000 organizations around the world.

Lessons: 
a) How is your secrets handling within your organization? Secrets include: passwords, API keys, certificates, trade secrets, intellectual property, encryption keys..etc. 

b) How easy is it to report security issues to your organization by external actors? 
Luckily in this situation, the researcher was able to reach the security team and have the issues fixed but there are several reports where reporters of security issues cannot reach affected organization and get punished for their efforts.

2. Legacy protocols
The credential leaking software update server discovered by the security researcher was accessible via file transfer protocol (ftp). Ftp is used to upload and download files from a server on the Internet. 

Nonetheless, Ftp is a very old and unsafe protocol which is full of security bugs, a favorite attack method for the attackers. As a result, Ftp is getting removed from future versions of mozilla firefox and google chrome.

Lessons: How are you safeguarding legacy protocols and systems from unauthorized access? Even better, has an audit of legacy protocols and systems that need to be deactivated to further reduce the attack surface of the organization? For instance telnet, ftp, remote desktop protocol etc

3. Detecting malware via source code
While investigating its own hack, Fireeye looked through 50,000 lines of Solarwinds product source code to discover malicious software that was included in it. 

Once installed, the malicious software enables attackers to gain a foothold into the client network from which further access is gained by creating administrator accounts with access to the organizations crown jewels. 

The attackers were not easily discovered because they went at great lengths to conceal their activities by impersonating employee access and activity within a particular a city the victim organization was operating in.

Lesson: How is code reading skills to hunt down malicious code? What efforts are in place to detect adversaries already within your networks? Remember that "there are two types of companies: those that have been hacked and those that do not know they have been hacked"

4. Ethics
Reports indicate that SolarWinds investors sold $286 million worth of stock before revealing the cyberassualt on the firm in what appears to be actions from shareholders to cash in before the bad news are announced. And as expected, the company stock fell by 23 percent when the news of the breach came to light. Such actions raise questions regarding insider trading.

This is about ethics which is concerned with making judgement about what is right or wrong. As a Cyber professional, one is entrusted with confidential information as their job role requires to fulfill their duties rather than for personal curiosity and profit.

Lesson: As a cyber professional, think about what your advice to those ready to cash-in while delivering information thats likely to cause a financial impact to the business

5. Compromised SDLC
The sofware development lifecycle (SDLC) is the entire process of translating the needs of users into software products with phases from requirements, design, development, testing, release and maintenance, and disposal. 

According to a reversinglabs report, the Solarwinds build and code signing infrastructure was compromised which is part of the development with the effect that attackers were able to insert malicious code that was undetected throughout the rest of SDLC phases. The report further details an approach to detect and prevent similar software supply chain attacks.

Lesson: How do you verify integrity of your software development process? How do you detect tampering and unauthorized access?

The solarwinds hack is still under investigation and will be updated with more lessons as they unfold.

Leave us a comment and subscribe to our Cyberletter to keep in the loop.

  

Comments