SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know

On December 8th, all of us learned of the breach at FireEye that may have exposed some of their Red Team testing tools to unauthorized adversaries. Since then, we have watched for news of the breach to better understand the potential impact, and to determine if the exposure of FireEye’s tools might introduce additional threat vectors to our environments.

As has been published over the last few days, the exposure at FireEye was the result of a coordinated, potentially global campaign, to allegedly target specific corporations and US Federal Government agencies through SolarWinds software offerings; and, potentially other avenues that have yet to be discovered. According to public news reports, of the over 300,000 clients using SolarWinds software, they believe that over 18,000 companies and agencies might have been impacted by the breach of their environment, and the addition of a trojan to their software.

The breach resulted in the deployment of a trojan-infested version of the SolarWinds software to their clients, allowing adversaries to perform secondary attacks on environments, and to drop additional malicious payloads in target environments for current or future use. While we all wait for more public reports of the techniques, tools and vectors used in the various attacks, and for information on additional malware that may have been deployed in target environments, we must prepare for impacts to our own environments from this, or similar breaches in the future.

While AccessIT Group cannot speculate on the security capabilities of the environments that have been publicly reported, we can offer some advice based on what we have seen in many technology environments. As such, we’ve developed a few recommendations for organizations that are concerned about this specific attack or future similar attacks:

• Evaluate your ability to determine if adversaries are moving within your network. Many organizations have capabilities at the perimeter, but lack visibility once past those defenses.
• Determine if your visibility of activity extends to the cloud or mobile devices.
• Assess your ability to rapidly respond to similar incidents, and disconnect potentially critical administrative systems from your environment.
• Review your technology asset list to determine if it is comprehensive and accurate.
• Identify all privileged access used by administrative systems, and determine if a single instance of malicious software will expose a significant portion of your network to adversarial action.
• Implement or reinforce your security controls around administrative systems that may be critical targets for malicious actors, and development systems that may be jumping off points into your extended environment.
• Emphasize security awareness and social engineering techniques with your employees, and validate the confirmation steps that should exist for processes that are initiated through communication with third parties.
• Update security detection technologies and policies to look for anomalous behaviors of authorized accounts, and for abnormal usage of networks and servers; e.g. excessive bandwidth usage or high-volumes of connections.

In the short term, AccessIT Group’s Cloud Security and Risk Management practices can assist you with these efforts by:

• Implementing or expanding your technology deployments to extend security coverage and control in your environment,
• Evaluating internal threat vectors that might have been, or might be leveraged by external actors that have bypassed your internal defenses, and
• Enhancing your cloud security controls through the use of native and third-party technologies.

In the longer term, AccessIT Group can also help you:

• Develop or test incident response and recovery plans and practices,
• Define your target state for your security team’s organizational structure and technology controls, and
• Implement leading practices and technologies to enhance the defense of your critical technology infrastructure.

As a trusted advisor for all things security, AccessIT Group is here to assist you. There are a variety of security measures that our team of certified professionals can help you with to secure your environment. If we can assist in responding to this or any other attack, please reach out to me or any member of our team.

Jim Bearce
Vice President, Professional Services
AccessIT Group, Inc.