Malware via Update: Sunburst Will Keep us Busy for Quite Some Time.

Imagine the next operating system update for your PC to include a malicious program, making your device accessible to hackers. This is what happened to users of the SolarWinds Orion platform. Updates for their IT management software were contaminated, and subsequently compromised the IT infrastructure of more than 18,000 companies and government agencies. A detailed incident investigation report is now available, along with a tool to find out if your own infrastructure has been affected.

  #Cyber Defense Center   #Security Emergency Concept   #Security Awareness   #Security as a Service   #Security Risk Assessment   #SIEM   #Vulnerability Management  

At the beginning of December 2020, SolarWinds was worth nearly 7.4 billion US dollars on the stock market. A big company, indeed, providing software to other big organizations, mostly Fortune 500 companies and government departments. Its heavyweight and high-profile clientele made SolarWinds a perfect target for hackers, whose intrusion into the company's systems early last year went undetected for nine months, until mid-December.

 

It began in March 2020

According to media reports, SolarWinds had unwittingly sent contaminated software updates to its customers as early as March. It was not until December 13 that the cyberattacks were first reported. In the very first article, Russia was held responsible for the attack, which was promptly denied by the Russian Foreign Ministry. Further reports followed one after another and it became clear that there were more and more high-profile victims. The Wall Street Journal named some of them: government agencies such as the Department of Homeland Security, the State Department, the Pentagon and the National Nuclear Security Administration, as well as large corporations such as Microsoft, Cisco, Intel and Deloitte.

 

The hackers were interested in specific targets

The malware introduced into the IT infrastructure of SolarWinds customers via Orion updates is called Sunburst. Apparently, most of the SolarWinds customers supplied with Sunburst were not of interest to the hackers. Only at select organizations did the hackers plant additional malware to ensure access across those businesses' local networks and cloud resources. The intruders focused primarily on Microsoft 365 infrastructure.  Although the attackers were selective, the attack had a huge impact on the data security of thousands of SolarWinds customers, which include most of the U.S. Fortune 500 companies, the top ten U.S. telecommunications providers and the U.S. government, according to the company. The unprecedented attack also had extremely negative consequences for SolarWinds' market capitalization:  Shares plummeted; the company is currently worth just under five billion US dollars - more than two billion dollars have vanished into thin air.

 

A tool against the hackers

The cybersecurity company FireEye, which derives its revenues from protecting high-profile clients, was also affected by the hacker attack[i]. Experts from FireEye were the ones who noticed the intrusion and triggered the alarm[ii] – not the U.S. Department of Defense Cyber Command, which is funded with billions of dollars and, according to the New York Times, was caught completely off guard by the attack.[iii]. FireEye has led the investigation into the SolarWinds hack, along with Microsoft and security firm CrowdStrike. A few days ago, FireEye has published a report describing the methods of the SolarWinds hackers[iv]. Along with the report, FireEye researchers also released a free tool called Azure AD Investigator on GitHub that companies can use to determine whether the hackers have penetrated their networks[v]. Meanwhile, SolarWinds Corp. gave assurances that the Sunburst malware had been removed from its download page. According to the company, the Sunburst vulnerability does not affect any other SolarWinds products.

 

Maximizing cybersecurity

Not all consequences of the SolarWinds hack are yet foreseeable. Tom Bossert, a U.S. government security expert, wrote in the New York Times that it could take years to secure all networks. In the meantime, it's important to maximize cybersecurity. UMB's security experts can help you with that. You will only be able to respond quickly to emerging threats if your network is permanently monitored. UMB will take full responsibility for your IT security with the Cyber Defense Center. Our Security Intelligence Team has already taken the necessary steps to secure our customers' IT infrastructures against the emerging threats. We will make your IT environment secure. Please contact us for more information.

 

[i] https://www.umb.ch/en/blog/news/detail/from-the-depths-of-the-internet-hackers-attack-large-cyber-security-company

[ii] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[iii] https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html

[iv] https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html

[v] https://github.com/fireeye/Mandiant-Azure-AD-Investigator