As everyone was winding down for the festive break, we thought that the FireEye incident would likely be the last major breach of 2020…until of course it was discovered that it originated from what is likely to be one of the largest nation-state supply chain attacks we have seen to date. The attack originated from SolarWinds’ Orion network management software and was likely carried out by nation-state adversaries.
The fallout of this hack affects thousands of global organizations, including pretty significant U.S. federal agencies like the Treasury Department and the Pentagon to name a few. As each day passes, the intricate details of this sophisticated hack are being released, as well as the list of those affected ballooning.
Is Your Data at Risk from the SolarWinds Hack?
Thankfully, not all SolarWinds customers are vulnerable to this hack. Only users of the Orion software platform are affected, and specifically only those that loaded their March update – SolarWinds has confirmed that 18,000 customers have done this.
Even if your organization has the installed affected software, it is ‘unlikely’ that you have been hacked…yet. Although this is a sophisticated nation-state group with untold resources at their disposal, they likely went after high-value targets first (Federal Agencies, Deloitte, etc.) and will be going down their long list.
Regardless, you still need to assume your organization has been compromised and take all appropriate steps to limit exposure.
What steps should you take to minimize the impact?
The Cybersecurity and Infrastructure Security Agency (CISA) has advised all SolarWinds customers with the installed malicious updates to act as if their systems have been compromised.
The attackers can use SolarWinds to get inside a network and create a new backdoor, as a result simply disconnecting the network management program is not enough.
- Immediately patch Orion to a secure version.
- SolarWinds has provided the version numbers of the software affected, so you can check accordingly and determine whether your organization installed an affected version at any point
- It is advisable to continually monitor SolarWinds’ frequently updated Security Advisory and FAQ
- Start to clean out your systems
- No easy task, be prepared to go through 6-9 months of both system and network logs, to identify any suspicious activity
- A threat hunting company who have the requisite expertise can assist here, as the hackers are able to hide their tracks very well
- You need to have the mindframe that the hackers have been inside your system for months without being discovered
- Have proactive and open discussions with your other suppliers
- Even if you are not running SolarWinds or had not updated, a third party or vendor to your organization that runs this software might be affected
- If they have access to your network or systems, your organization could be attacked through that connection.
- Implement (or improve) a third-party risk management program with particular focus on vendor access of any kind.
NeuraLegion’s CTO and Co-Founder Bar Hofesh and our President and CCO Gadi Bashvitz joined a panel discussion with Dan Ives of Wedbush Securities to discuss the hack. We are seeing a continued increase in attacks from both nation states and other hackers. It is obvious that the measures taken by most organizations today don’t suffice to prevent these attacks. As Zuk Avraham said on the call, organizations have to implement the ounce of prevention and not rely on the pound of cure (WAFs etc). Benny Lakunishok and Bar Hofesh added that Zero Trust Networks and Application Security Testing as part of the development process are becoming a must. “It was a pleasure to be invited to participate in this panel hosted by Wedbush Securities, to help organizations that were impacted and try to help others to prevent future attacks”, said Bashvitz following the discussion.
Checking your Supply Chain Web & API Application Security
Currently, there is no specific evidence that indicates the SolarWinds hack involved exploiting a specific web application vulnerability, however there is a possibility especially with exposed APIs.
The hack involved gaining upload access to a file server which can also be carried out via a vulnerable admin panel. Weak points in your cybersecurity can be exploited to other connected applications and so it is imperative to check not only your own products, but also that of any and all third-party products.
NeuraLegion’s NexDAST is a dynamic application security testing (DAST) solution that should be part of your toolset to detect and remediate vulnerabilities across your applications and APIs to mitigate this risk. Contact us now to learn more and request a demo