Cybersecurity experts are calling the attack on the SolarWinds Orion network management platform one of the most serious hacks on U.S. government networks and many large company data infrastructures. The attack, revealed in December 2020, had network professionals scrambling to mitigate the effects of the pervasive breach.
The supply chain attack has affected several federal government agencies, including the departments of commerce, energy and homeland security. News of the hack forced major public companies, including Cisco Systems and Microsoft, to ratchet up their network analysis activities to identify and mitigate the anomaly before it could disrupt operations.
Soon after the hack was revealed, SolarWinds announced updates to its Orion platform, which was hacked by malware called Supernova. According to SolarWinds’ investigation, the malware could be deployed by exploiting a vulnerability in the Orion platform. Approximately 18,000 customers were affected by the breach. In response to the SolarWinds hack, these firms need to deploy the Orion updates and carefully examine all aspects of their networks to identify where the malware might have launched.
Supernova malware explained
According to a SolarWinds security advisory, “SUPERNOVA is not malicious code. … It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”
The vendor noted that the malware has two components. “The first was a malicious, unsigned webshell .dll ‘app_web_logoimagehandler.ashx.b6031896.dll’ specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code.”
Investigators researching the malware attack identified a backdoor called Sunburst, which enabled hackers to receive reports on infected computers. The hackers then used this data to target systems they identified for further exploitation.
Investigators found the backdoor code was similar to another widely used hacking tool called Kazuar. They surmised Kazuar was used in many previous attacks on public and private organizations and may have been a trigger to launch the previously dormant malware residing in target systems.
Lessons learned and next steps
The Orion platform is popular and used worldwide — and was clearly a target for highly experienced hackers. Among the lessons learned from the SolarWinds hack is that security software is not completely perfect and should be considered a potential cyber attack entry point.
Another lesson is to maintain a high level of diligence across all elements of a network infrastructure, particularly the perimeter. The acquisition and use of powerful anomaly detection software is also an essential activity and a savvy investment.
So, what else can network and security teams do now and in the future in response to the SolarWinds hack? As both teams need to be aware of this event and prepared for other incidents, let’s consider a checklist of items. Clearly, the need for collaboration by both teams is essential for preventing and mitigating future attacks.
1. Computers are vulnerable to attacks. Regardless of the proactive measures taken to identify, prevent and mitigate cyber attacks, IT infrastructures are still at risk. The optimum network and security postures assume an attack will occur, and all possible efforts will be made to prevent it from occurring.
2. Security is a cornerstone of corporate culture. Security of networks and information systems begins at the top. Senior management must understand the importance of information security, endorse and support it, and drive that message throughout the organization.
3. Identify all entry points into the organization, and establish sufficient security. Many access points (APs) are available to experienced and motivated hackers. The use of remote access during the current pandemic has created many additional entry points into an organization’s network and information resources. Ensure that all likely — and unlikely — APs are identified, suitably protected and regularly monitored for suspicious activity.
4. Network perimeters must be protected aggressively. Make use of firewalls, intrusion detection and prevention systems, and many other services to remove any porosity from corporate and personal networks. Even more importantly, regularly update the rules and other parameters of these specialized systems to ensure they are functioning optimally.
5. Patch regularly, and ensure patches perform as stated. As an example, SolarWinds released several updates to the Orion platform for patching by users. An effective patch management process is essential to keep ahead of malicious actors.
6. Align network security with physical security. These two measures are closer than some organizations may realize and should not be in separate silos. Unauthorized physical access to data centers by rogue employees, for example, could be just as damaging as a malware attack.
7. Incident response plans and protocols must be in place. These strategies govern how an organization responds to the initial discovery of a network security anomaly. They should be documented, periodically reviewed and tested to ensure they will work when needed.
8. Maintain network security and cybersecurity policies and procedures. Policies establish the what regarding the provision of security activities. Procedures address the how so an organization will have specific actions to take in most events. Review and update these policies and procedures at least annually and especially when any new network or security technology is deployed.
9. Include nontechnology initiatives as part of the security strategy. Cybersecurity insurance is one example of a nontechnology resource to have in the event of an attack. A ransomware attack can affect an organization in multiple ways — such as financial losses — and damage the firm’s competitive position and reputation.
10. Ensure all security and networking protection plans are current, regularly exercised and periodically audited. It’s not enough to simply have emergency plans, such as technology disaster recovery and cybersecurity plans. These important initiatives and their associated documents must be regularly reviewed, updated as needed, and tested and audited at least annually.
In this article, we examined a recent malware attack and its lasting effects. More importantly, we discussed activities that must be in place to ensure network perimeters are secure, information systems and data are secure, and organizations consider network protection and cybersecurity as mission-critical.