Cyber Bytes & Insights – Bite-Sized Cyber Training
The Cyber and Fraud Centre Scotland is delighted to launch a new training series, providing practical, hands-on exercises to boost cyber security readiness. Our Cyber…
In this blog, Cyber Incident Response Manager, Mark Cunningham-Dickie gives his views and advice on the Supply chain compromise of organisations via the System and Network Management tool, SolarWinds Orion suite.
Last week it came to light that FireEye, a giant in the world of Cyber Security and SBRC Cyber Incident Response Partner, had been compromised and some of their custom hacking tools had
been stolen.
There’s a few points to make about this story and how it’s developed. First of all, it goes to show that anyone is susceptible.
FireEye hadn’t been lapse in their own security, it was a complicated compromise that utilises never seen before; Tactics, Techniques and Processes (TTPs).
Mandient/FireEye have done exactly the right thing by being open and honest about their compromise, and have even gone as far as providing Indicators of Compromise (IoC’s) for their custom tools, as well as their compromise, so that others can check to see if the same TTPs have been leveraged against them.
It highlights the importance of the forensic aspect of Cyber Incident Response. In presentations that I have given on the subject, I accept that although Incident Response and Digital Forensics (often referred to as DFIR) go hand in hand, the two have competing priorities. Digital Forensics can take time, but Incident Response is about going through the process to recover an organisation to an operational state. As a result, the two often conflict, and sadly because of financial or reputational interests, recovery often takes precedence over digital forensics and investigation.
Fortunately, FireEye continued to investigate while also having the capacity to recover. Their investigation has identified the route in for the compromise was via a supply chain attack against a very popular and capable system and network management tool called SolarWinds.
This is massive because SolarWinds is used by companies big and small, as well as government and Critical National Infrastructure (CNI) organisations. It acts as the eyes and ears of systems and networks, allows for remote configuration, backup and patching of systems and devices on the
network.
FireEye have provided the Indicators of Compromise (IoC’s) (Source: FireEye’s GitHub) to allow others to check to see if they have been compromised. SolarWinds have provided an update and an advisory (Source: SolarWinds) though (at the time of writing) it is unclear if the method used to compromise them has been fully identified and closed off. They are certainly expecting to release further update in the coming days.
Many of the vulnerability assessment tool companies out there have provided plugin updates to their products to identify if you have been compromised.
If you are unsure if you are affected and you use SolarWinds Orion suite , your best course of action is to isolate the SolarWinds server either by disconnecting it from the network (virtual or physical) or by shutting it down completely.
I would not normally advocate this latter option as you lose data from memory, however in this instance, as so many companies and organisations are going to be affected, there are not enough Cyber Security Professionals or Digital Forensic Investigators/Analysist to go around and we’re still in the isolation phase.
Start checking your firewalls and proxies for data going to any of the following addresses:
or IP addresses:
If you see any of these entries in your historic logs, I’m afraid they are some of the indicators of compromise. If you have the capability, deny list the sites to prevent further loss or compromise and start trying to establish how much, and what, data has been exfiltrated from your organisation.
Unfortunately, identifying who/which accounts accessed the sites is not going to be enough. The malware elevates its permissions within an organisation and uses a global admin account or trusted SAML token to impersonate any member of the organisation. Microsoft have posted some guidance and advice regarding the compromise here and some suitable actions to take, though it mostly relates to ongoing detection and monitoring for anomalous behaviour.
Perform firmware integrity checks across your systems, these are Nation State level threat actors and there has been increased targeting of firmware (specifically UEFI). This, combined with the level of privilege that the threat actors have gained, allows them a level of persistence across systems even if they are re-installed: so check and update firmware as well as patching systems up-to-date.
If you have the capacity or capability, implement or increase monitoring across your IT/IS estate. If you don’t know where to begin, user account behaviour will be the best place to start, for example: unusual access or logins to systems or services, times of access, etc.
Wherever possible, implement multi-factor authentication and increase auditing on accounts that cannot make use of it.
Anyone who utilises an affected version of Solarwinds has potentially been compromised. The extent of which will depend on your environment and setup.
The IoC’s above are not exhaustive. They will be being updated as more analysis is done. Advice may change the more we learn about this.
If you have any concerns or need assistance, the Free SBRC Cyber Incident Response number is 01786 437472.
Below is a list of resources which may be of use: