In case you haven’t been reading security news headlines recently, the IT security vendor space was shaken by the latest attack, which experts say is bigger than the famous Equifax breach. Thousands of global enterprises and government agencies may have been exploited by hackers via the Solarwinds Orion network monitoring solution.
The security community is continuing to investigate the nuts and bolts of the attack. While some details have been announced, we want to briefly dig into how it occurred, who was affected, and what organizations should do to step up their security hygiene and avoid being breached in such a way.
The latest sign that 2020 was not going to go out quietly was when different sources from FireEye and Microsoft first disclosed that a highly advanced and sophisticated attack on SolarWinds had occurred.
A group of state-backed Russian hackers exploited the SolarWinds Orion software via a malware attack, which allowed the cybercriminals to move within the network and create a backdoor into the system. This attack was followed up by creating a malicious update within the SolarWinds system, providing the attackers full visibility and mobility within the exploited victims’ systems.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 13th instructing that SolarWinds Orion network solutions have become exploited by malicious actors. On the same day, FireEye announced a detailed technical analysis of the backdoor created by the cybercriminals.
SolarWinds suggested that 18,000 of their 300,000 customers had possibly downloaded and installed the malware within their organizations. Many of SolarWind’s customers include different global Fortune 500 companies, the majority of the US-based telcos, and different branches of the US military. On top of these global organizations, other cybersecurity vendors such as FireEye and different US and UK government branches were potentially exploited in the attack.
Due to the impact of the SolarWinds breach, the security community will look back at this attack as one of the biggest breaches on the United States governments ever committed.
While this breach demonstrates how far Russian state-backed attacks will go, most organizations need to think about the effect it will have on their businesses rather than who the attackers are.
First, every organization no matter its size should double-check and make sure that their SIEM solution is secure and up-to-date with the current threat landscape. While some people might refrain from putting their entire organization’s trust in a monitoring solution after reading about this attack, now is the time for stronger and more up-to-date alerts and auditing.
These kinds of attacks should push your organization to better understand the status of their security, and if needed, to adopt the right solutions to patch up potential points of entry for hackers – literally. Patching is hugely important now as various solutions update in response to new threats, and the breach will push SIEM providers to investigate their solutions to see where they can be exploited.
While the details of the attacks are still being investigated and will continue for months, here are three takeaways that your organizations can think about to decrease the chances of becoming a victim.
Cybercriminals are increasing their attack efforts with more sophisticated attempts on organizations’ software supply chains, and the SolarWinds attack has forced everyone to pay attention. While your organization might believe it is secure, in reality, no one is. Ensure all communications are encrypted, and make good use of basic tools like 2FA.
Cybercriminals are finding new ways to attack organizations and exploit their critical resources and networks. Hackers can easily exploit your organization from in-depth attacks or in some cases the simple theft of an employee’s password, but no matter how they get in they can still enjoy frightful lateral movement if the right access management precautions aren’t taken.
As seen in different breaches, cybercriminals may not be detected for weeks or even months. People tend to think of data breaches as attackers quickly exploiting and deserting their victims within minutes. In reality, attackers often are lurking for years until a breach is found. To fight off unauthorized access from malicious actors your organization should prioritize monitoring and network visibility.
As a member of the cybersecurity vendor community, it’s tough to see a fellow vendor become the victim of a cyber attack. All cybersecurity vendors know we are working together to make the world a more secure place. At Perimeter 81, we strive to provide the most secure experience for our customers and partners, and take the SolarWinds breach very seriously. As we look into 2021 we will innovate further and ensure even better network security in the upcoming year and on.