Read the original article: The SolarWinds Breach: Why Your Work Computers Are Down Today
The information security news cycle went into overdrive yesterday afternoon. First, Reuters revealed that both the Commerce and Treasury Departments suffered significant intrusions. The Washington Post soon followed up with multiple sources attributing the attack to the Russian foreign intelligence service, the SVR—in particular, a portion of the SVR known as CozyBear—although there is no official attribution yet. Within a few hours, FireEye and Microsoft announced that this was a “supply chain” attack involving SolarWinds Orion software, and the Cyber and Infrastructure Security Agency (CISA) issued an emergency directive. Today, it turns out that the attackers also compromised the Department of Homeland Security. SolarWinds revealed to the SEC that the breach may affect 18,000 customers.
There’s a lot going on, so here’s a quick guide for readers looking to get up to speed on the news.
What is SolarWinds Orion?
SolarWinds Orion is part of the SolarWinds suite of network and computer management tools. One of the biggest problems with managing a large network just arises from the scale: a network can have dozens of critical computers and hundreds or even thousands of computers overall. The SolarWinds solution suite not only includes monitoring capabilities, so users can tell when a critical computer goes down, but also the ability to automatically restart services. As a consequence, this software is likely to be installed on the most critical systems in the enterprise—those which, when they go down, block the ability to get work done.
What Happened to SolarWinds Orion?
It appears that, in March 2020, someone managed to modify the SolarWinds Orion software during the build process—that is, the process which translates the human readable code and merges it into a form that a computer can execute. This timing is based on both the Microsoft and FireEye analyses, as well as the reported versions affected by SolarWinds.
This modification included a very sophisticated and stealthy trojan program, designed to remotely control any computer that installed SolarWinds Orion. When customers installed the latest update, the trojan program would start running on the victim’s computers. This is considered a “software supply chain” attack: the intended victims received a polluted copy of the Orion software directly or indirectly from SolarWinds.
What Did the Trojan Do?
The trojan itself was a sophisticated and very stealthy backdoor analyzed by both FireEye and Microsoft. Though the program produced some indications to tell if a computer was infected, it first waited 12 to 14 days before taking any action—a period of quiet designed to thwart analysis, as the malicious payload wouldn’t even start until the computer had been running for a long time. Then it started asking for a command-and-control server. Once again, this routine included checks to thwart analysis.
Only then would the trojan start communicating with a remote server belonging to the attacker, with this communication disguised to look like the normal sort of web traffic generated by a benign automated tool. From there, the attacker now had effectively full control over the victim machine, including the ability to install additional software and perform other tasks.
What Then?
This is where the attacker gained extra capabilities. Amongst the “critical” enterprise servers that must remain up for the business to function are the authentication and active directory servers. These servers are incredibly important, as they identify users to other systems, say what permissions a user has to access data, and change the configuration of other machines. The attacker could use this to move throughout the victim enterprise, gaining control, creating new accounts and accessing whatever data or resources were desired.
This would allow the attacker to become an “authorized” user with nearly unlimited reach, present effectively everywhere in the victim’s network. Notably, it seems that the attacker used these abilities to create new accounts and install new remote control software. Microsoft’s analysis of the attacker’s behavior showed that even if the SolarWinds backdoor were removed, the attacker might maintain access all throughout the targeted network.
So What Did CISA say?
CISA ordered all non-military governmental systems running the Orion software to both stop running the software and, critically, disconnect these computers from the rest of the network by noon today. This is simply the first step in a remediation process through which the network administrators seek to restore operations.
But the attacker’s ability to ingrain itself in the network further amplifies the problem faced by those rebuilding the networks. If the SAML (a protocol for federated authentication) or Active Directory (a tool for managing a Windows network) server is affected, there is now the significant possibility that the attacker used the initial compromise to spread throughout the entire network.
Which means more than a few networks are going to have to take drastic measures. To quote the movie Aliens: “Take off and nuke the entire site from orbit—it’s the only way to be sure.” That is, they will need to start from scratch by reinstalling systems and then re-adding authorized users, rather than trying to ensure that all attacker accounts were successfully removed.
So is This Why my Work is Down?
If you work in government or in a private industry that has to worry about espionage and can’t do any work because the “network is down,” this is probably why. The systems running Orion are the most important computers for actually getting work done. After all, if they weren’t the important computers, they wouldn’t need the automated monitoring. So disconnecting all the computers that are important enough to need monitoring effectively turns off the entire enterprise.
What Now?
Christmas is now officially cancelled for three groups. The first is for the IT staff working for the perhaps 18,000 SolarWinds customers affected by the breach, who are going to have to spend the next weeks rebuilding their networks an
[…]
Read the original article: The SolarWinds Breach: Why Your Work Computers Are Down Today