Reading Time: 4 minutes

There have been a lot of headlines about the SolarWinds security breach this week—we break down the main takeaways you need to know about now on this blog. The recent breach—executed through malicious updates to the widely-used monitoring product—was part of a large cyberattack government organizations and enterprise-level businesses.

“Supply chain attacks aren’t common, this software supply chain attack is one of the most potentially damaging ones in recent memory. It’s unprecedented.”

– Jake Williams, SANS Institute 

 

In this Cybersecurity blog, we go over the fresh stats and intel and highlight what makes this cyberattack different and how it’s disrupting business as usual right now. Here’s what you need to know right now:

1. Russia’s Intelligence Service is Responsible

SolarWinds hacking

The Washington Post broke the news this week that Russian government hackers known as APT29 or Cozy Bear, (part of that nation’s foreign intelligence service) breached the Treasury and Commerce departments along with a slew of other U.S. government agencies.

Government officials rushed to assess the extent of the breach to implement defensive countermeasures but learned the breach was severe and long-running.

The Cybersecurity upset is still being investigated by the FBI, the victims included government agencies, consulting, oil and gas companies, and of course technology and telecom. The cyberattack may have started as early as the spring.
Even though APT29 or Cozy Bear was already known for hacking the Obama administration in the past, the Russian Washington Embassy labeled reports of the Russian hacking “baseless”. In a Facebook post, the embassy stated that “Russia does not conduct offensive operations” in “the information space” and that they contradict Russian foreign policy and national interests.
Hackers breached all the organizations through the server update of a SolarWinds network management system.

2. Hackers Bypassed Multi-Factor Authentication (MFA)

SolarWinds Hacking

According to HelpNetSecurity.com, part of what makes this attack so unprecedented is how advanced it was. While we’re still waiting for all the answers to how the attackers accessed SolarWind’s systems, according to a recent report, the SolarWind’s system was most likely penetrated by overriding MFA through Microsoft 365 accounts.

“Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020.”

Volexity researchers learned that backdoors, malware implants, and multiple tools enabled the hackers to remain undetected for several years in previous attacks before returning for a second exploit.

As security experts breakdown the details in the aftermath, they describe sophisticated hackers who “displayed a reasonable level of operational security throughout the attack, taking steps to wipe logs for various services used and to remove evidence of their commands from infected systems.”

3. Microsoft is Acting Fast

The Microsoft Defender Antivirus has already started blocking and quarantining the known malicious SolarWinds binaries—whether or not the process is running. Earlier this week, Microsoft tweeted an announcement:

“We’re making some updates to detections we released to alert customers about the presence of compromised binaries related to SolarWinds Orion Platform. Starting December 16 at 8:00AM PST, Microsoft Defender Antivirus will block these malicious binaries.”

You can read the official Microsoft response here. Microsoft went on the defense taking significant steps against the SolarWinds supply chain attack this week. Over four days, Microsoft has fought back with its Windows operating system and legal team to virtually eliminate the actions of some of the most advanced bad actors.

While we are still learning the full scope of the breach, the SolarWinds supply chain attack is already the most forceful attack in modern memory. And, according to SolarWindsMicrosoftFireEye, and the Cybersecurity and Infrastructure Security Agency (CISA) the hackers compromised a server leveraged for building SolarWinds Orion Platform updates, a product used for IT infrastructure management. Cyber attackers used the compromised build server to inject backdoor malware.

Assessing your monitoring strategy?

Take the Monitoring Maturity Assessment

At MicroAge, we understand how your monitoring approach can impact business operations and IT productivity. Learn about our Monitoring Maturity Assessment and services, or connect with a Services expert.

©2021 MicroAge. All Rights Reserved. Privacy Policy | Terms and Conditions | Submit Services Request