There have been a lot of headlines about the SolarWinds security breach this week—we break down the main takeaways you need to know about now on this blog. The recent breach—executed through malicious updates to the widely-used monitoring product—was part of a large cyberattack government organizations and enterprise-level businesses.
“Supply chain attacks aren’t common, this software supply chain attack is one of the most potentially damaging ones in recent memory. It’s unprecedented.”
– Jake Williams, SANS Institute
In this Cybersecurity blog, we go over the fresh stats and intel and highlight what makes this cyberattack different and how it’s disrupting business as usual right now. Here’s what you need to know right now:
1. Russia’s Intelligence Service is Responsible
2. Hackers Bypassed Multi-Factor Authentication (MFA)
According to HelpNetSecurity.com, part of what makes this attack so unprecedented is how advanced it was. While we’re still waiting for all the answers to how the attackers accessed SolarWind’s systems, according to a recent report, the SolarWind’s system was most likely penetrated by overriding MFA through Microsoft 365 accounts.
“Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020.”
Volexity researchers learned that backdoors, malware implants, and multiple tools enabled the hackers to remain undetected for several years in previous attacks before returning for a second exploit.
As security experts breakdown the details in the aftermath, they describe sophisticated hackers who “displayed a reasonable level of operational security throughout the attack, taking steps to wipe logs for various services used and to remove evidence of their commands from infected systems.”
3. Microsoft is Acting Fast
The Microsoft Defender Antivirus has already started blocking and quarantining the known malicious SolarWinds binaries—whether or not the process is running. Earlier this week, Microsoft tweeted an announcement:
“We’re making some updates to detections we released to alert customers about the presence of compromised binaries related to SolarWinds Orion Platform. Starting December 16 at 8:00AM PST, Microsoft Defender Antivirus will block these malicious binaries.”
You can read the official Microsoft response here. Microsoft went on the defense taking significant steps against the SolarWinds supply chain attack this week. Over four days, Microsoft has fought back with its Windows operating system and legal team to virtually eliminate the actions of some of the most advanced bad actors.
While we are still learning the full scope of the breach, the SolarWinds supply chain attack is already the most forceful attack in modern memory. And, according to SolarWinds, Microsoft, FireEye, and the Cybersecurity and Infrastructure Security Agency (CISA) the hackers compromised a server leveraged for building SolarWinds Orion Platform updates, a product used for IT infrastructure management. Cyber attackers used the compromised build server to inject backdoor malware.
Assessing your monitoring strategy?
Take the Monitoring Maturity Assessment
At MicroAge, we understand how your monitoring approach can impact business operations and IT productivity. Learn about our Monitoring Maturity Assessment and services, or connect with a Services expert.
