Open in app

Sign in

Write

Sign in

SolarWinds Breach in a nutshell

eKRAAL Innovation Hub
5 min readJan 8, 2021

--

A supply chain attack affecting SolarWinds MSP’s remote monitoring and management tool allowed security researchers to steal the administrative credentials of an account holder, according to Huntress Labs.

SolarWinds is a software company based in the United States that aids businesses maintain their networks, systems, and information technology infrastructure by offering different solution products.

The beginning….

On 13th December 2020, the company acknowledged a breach had occurred and affected one of their solution products known as Orion. Orion was released between March 2020 and June 2020 is used by private businesses and government organizations to monitor networks for outages. Some of the government organizations utilizing Orion include the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States. Solarwinds mentioned that they have been advised that the hack was caused by an outside nation, many alleging the possibility it could be a Russian group, APT29. The Russian government, through the Russian foreign ministry, has denied the allegations.

SolarWinds Orion is a network monitoring and management tool that is used widely to understand and control the complexity of heterogeneous environments. It needs broad and privileged access to function properly, and this makes it a great vehicle to gain access to many environments.

It is believed the hack can be traced back to March 2020 when Orion users received a software update injected with malicious code. The hackers gained remote access and could view the private data of up to 18,000 users who had installed the software update.

A security researcher, Vinoth Kumar, had reached out to the company in November 2019 and informed them that the Solarwinds servers could be accessed using the password ”solarwinds123”. The information was on the company’s GitHub repository which had been open since 17th June 2018. The researcher recently posted this information on his Twitter page dating back to 11th November 2019.

In October 2019, Huntress Labs, a security vendor reported to Solarwinds a zero-day vulnerability in SolarWinds MSP’s remote monitoring and management (RMM) tool that allowed access to credentials of an account holder. The flaw was however announced in January 2020 and had been open for nearly three months. Solarwinds upon being questioned on Huntress Labs report mentioned that the proof of concept was not available and the exploit could not be used to compromise any accounts. Furthermore, the company said they had released a mitigation tool for the hotfix flaw.

How did it happen?

According to Kevin Mandia, CEO of FireEye, after the hackers inserted malicious code into the legitimate software update in the Orion software, remote access was granted. They observed an organization’s network activity, gathered intel, consistently covered their footprints to avoid detection, and masqueraded within legitimate configuration files blending with the genuine Solarwinds activity hence difficulty in identification.

FireEye, a cybersecurity company, was one of the companies affected by the hack. The company mentioned that having gone through thousands and thousands of lines of code they established that the hack occurred through a backdoor within the Solarwinds Orion software. The hackers stole sensitive tools used to find vulnerabilities in clients computer networks. It is believed the public statement made by FireEye on being hacked was the discovery of ‘the Solarwind breach’.

The hackers used a command and control(CnC) server to match authorized hostname within a victim’s environment allowing them to safely blend without causing any suspicious or detection. The hackers utilized IP addresses originating from the same country as the victim perhaps by using VPNs allowing their traffic to appear legitimate. The next step was lateral movement after the hackers gained access to a network using different credentials from the remote access. Through administrative rights, hackers fabricated SAML tokens impersonating users and accounts together with privileged accounts on on-premise access to Orion software. This enabled the hackers to call APIs with permission assigned to Orion software once they added customized credentials on the application and lastly pushed the trojan software update to the customers.

The hack affected Solarwinds’ Microsoft Office 365 emails providing access to data in the company’s productivity tools. Solarwinds is likely to face legal action on the breach from its customers who are from private and public sectors. The U.S government issued an order on the 13th December 2020, to all federal agencies to shut down all SolarWinds Orion products as the exploit is still active.

Solarwinds stocks have since fallen by 17% as a result of the espionage attack.

What makes a vulnerability a zero-day?

The term “zero-day” refers to a newly discovered software vulnerability. Because the developer has just learned of the flaw, it also means an official patch or updates to fix the issue hasn’t been released.

So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.

Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.

But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That’s known as a zero-day attack.

What to do if attacked?

Follow this security checklist to help keep your information protected from the security risks associated with zero-day vulnerabilities:

  • Keep software and security patches up to date by downloading the latest software releases and updates. Installing security patches fixes bugs that the previous version may have missed.
  • Establish safe and effective personal online security habits.
  • Configure security settings for your operating system, internet browser, and security software.
  • Install proactive and comprehensive security software to help block known and unknown threats to vulnerabilities.

In Kenya, cybercrime incidents can be reported remotely to the National KE-CIRT/CC through incidents@ke-cirt.go.ke.

For more information on reporting a cyber-incident or a vulnerability visit: The National KE-CIRT/CC website.

This article is written by;

  • Eddah Murrey, an enthusiastic cybersecurity researcher, and trainer. She is an esteemed Cisco Netacad instructor, passionate about network security monitoring. In collaboration with the Commonwealth of Learning, the writer has developed content acquainting teachers and teacher-educators to cybersecurity. She is a volunteer and member of the SheHacks_KE community where she gives back to the community through sharing knowledge on cybersecurity.

Follow her: Twitter: dabbol_d; LinkedIn: Eddah Murrey

  • Salome Njoki, an avid Cybersecurity Researcher who is aligned with Threat Hunting, Cyber Security Incident Response and SIEM, Business Continuity, Disaster Recovery, and Crisis/Emergency Management. She has consulted for and trained companies and SACCOs in Kenya and Nigeria. Was a Co-Author of Africa Cybersecurity Report 2018 and 2019.

Follow her: Facebook: Sal Njoki; Twitter: Sal_Njoki ; LinkedIn: Sal Njoki

Zero Day Vulnerability
Solarwinds Hack
Mitigation Plan
Cyberattack
Password Security

--

--

eKRAAL Innovation Hub

Written by eKRAAL Innovation Hub

114 Followers

Accelerating innovation & creativity in the cyberspace ecosystem | EcCouncil iLearn Partner | 1st African CyberSecurity Cisco Academy | Learn. Aspire. Innovate.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams