As we embark on ‘secure’, integrated, easily accessible, and fast-flowing data on demand; the opportunity for exploitation of that data increases. The more accessible the data, the more at risk the data.
December 2020, Microsoft and the cybersecurity firm FireEye reported around 18000 organisations had been hacked. Luckily it was not more, considering that they have many many more customers. To gain some perspective this includes 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. The Pentagon of all places! I’m sure that they have cyber security solutions in place which are a bit more robust than the out-of-the-box virus software you get from purchasing a new PC or laptop down at the local store.
How did it happen?
The organisations had a relationship immediate or at reach to the SolarWinds Orion IT system management platform. Further, “[The] attacker has been able to add a malicious, unauthorised modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation. This modification:
There is evidence of the attacker using this capability in some cases to move from a single Orion server to other parts of the victim’s IT network.” (Dealing with the SolarWinds Orion compromise, 2021)
The attack was a prolonged and progressive APT. Advanced Persistent Threats (APT’s) refer to threats that break into a system, establish persistence and lurk around undetected for a period of time. In this case, attackers used malware called Sunburst, also known as Solorigate. Over several months, the attackers conducted probing small tests such as changing SolarWinds code and exploiting the relationship it had with its customers through its software updates. This, combined with loopholes in the supply chain, easy access through Single Sign-On Systems (SSO’s), and overtaking multi-factor authentication (MFA) systems allowed attackers to methodically implant malware without setting off alarms.
Loopholes in the Supply Chain
“Attackers gained access to the SolarWinds development process and injected malware, gaining access to the core network and the ability to launch multiple attacks. When SolarWinds customers received notifications of a software update sent by the company, they trusted it, which then allowed attackers to gain access to thousands of systems. As soon as the infected software was launched, a Command and Control (C2) channel was quickly established and became the launchpad for more attacks.” (Engle, 2021).
Something to consider for organisations when implementing staff cyber awareness training programs is the identification and origin of genuine emails and software updates etc. IT and Cyber departments could, for example, coordinate synchronised workforce updates as a simplified measure to assist in identifying legitimate updates. Zero trust security models not only on devices, but on account permissions could also be put in place.
Easy access through Single Sign-On (SSO) Systems
SSO’s allow organisations to protect many systems with one username and password. “Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. Anomalous logins using the SAML tokens can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate.” (Engle, 2021).
I find it challenging to come to a conclusion on the subject of SSO. On one hand the productivity, efficiency and convenience of logging in once and having access to all the relevant applications of an organisation. The negative is only one login needs to be defeated to give access to all applications. On the other hand, given that today we have password managers to help us remember the thousands of login details for emails, banking details, subscriptions, software account details etc; means that a hacker only needs to target the password manager and defeat it, and they then have access to your entire life. I am sure that, as I write this, there are a number of people who I know which have lists of all their login details, such as: a diary with them all in, or a note on an iPhone, or a digital sticky note on their computer, or a physical sticky note on the underside of their workstation. The discipline required to avoid reusing passwords. The UK NCSC has provided guidance on password policy administration for system owners.
Overtaking Multifactor Authentication (MFA) System
“FireEye noticed that hackers gained access to the organization’s email servers with a username and password and they had bypassed the MFA system. FireEye shouldn’t have relied on just the MFA system to protect their email servers, but rather required proof of the user with biometrics.” (Engle, 2021).
What is interesting is that 2FA/MFA is widely used and considered secure. Hackers leveraged a vulnerability in the organisation’s Microsoft Exchange Control Panel and used a novel technique to bypass MFA from Cisco-owned Duo Security, and then accessed emails. Volexity, a U.S based cybersecurity company affected by the attack, were able to determine:
“Logs from the Exchange server showed that the attacker provided username and password authentication like normal but was not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA [(Outlook Web App)] server, could also confirm that the attacker had presented a cookie tied to a Duo MFA session named duo-sid,” Volexity explained. “Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie.
After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account.
Volexity has clarified that the method did not involve exploitation of a vulnerability in the Duo product. The attack was possible due to the victim’s failure to change all secrets associated with key integrations after the breach was discovered. ” (Kovacs, 2020)
It shows that we need to consider how we structure our cybersecurity measures. Consider a layered login system that includes 2-factor authentication along with biometric and or cryptographic protection combinations - protective measures don’t always need to be of a digital/technical nature.
Education is knowing that the threat exists, and is ultimately about creating awareness.
Controlling access to information by ensuring staff only have access to the information relevant to their role.
Know your weaknesses - Dot is specifically designed for this from a technical perspective (specifically for Operational Technologies), and knowing which are your critical systems and ensuring the data is regularly backed-up (where possible) will allow a swift recovery or response if you are unfortunately attacked.
Ensure that you adopt governing policies on behaviour, access to the internet, use of data storage devices, email policies and connectivity. Make it a part of your staff roles and responsibility in order to create ownership.
Continually monitor and review your organisational behaviour and culture to cybersecurity.
This list is by no means comprehensive and shows that something can always be done.
How did it stay undetected?
“To avoid detection, attackers used temporary file replacement techniques to remotely execute their tools. This means they modified a legitimate utility on the targeted system with their malicious one, executed it, and then replaced it back with the legitimate one. A similar technique involved the temporary modification of system scheduled tasks by updating a legitimate task to execute a malicious tool and then reverting the task back to its original configuration. Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time, the FireEye researchers said.” (Constantin, 2020)
Mitigation Strategies
Recognising this risk, the NCSC’s Exercise in the Box is an online tool which helps organisations test and practice their response to a cyber attack. For those with Operational Technology (OT) systems you could use Dot by Awen Collective for asset & vulnerability discovery and management! They do say prevention is better than cure!
Another initiative of the NCSC is the Cyber Information Sharing Partnership (CiSP), which is a joint industry and government partnership set up to allow UK organisations to share cyber threat information in a secure and confidential environment.
The Cyber Assessment Framework (CAF) and equally the EU Security of Networks & Information Systems Directive on Information Security (“NIS Directive”) is aimed at protecting important key systems such as our Critical National Infrastructure (CNI). To some the NIS and CAF may seem incomprehensible but Awen’s Profile software can not only help decipher it but understand and actively work with it to keep you within your obligations and make it a part of your organisations’ processes.
The IEC 62443 (by the International Electrotechnical Commission) is a series of standards including technical reports on securing Industrial Automation and Control Systems (IACS). Despite progress being made in the right direction in the cyber domain; 2020 in the UK saw its largest increase in cyberattacks on record. Our critical systems, which keep our economies flowing, are still being frequently targeted and often attacked. Our industrial production sectors now have another topic on board room agendas, an agenda which is starting to fill up significant space in strategy and operational performance meeting time.
References
Constantin, L., 2020. SolarWinds attack explained: And why it was so hard to detect. [online] CSO Online. Available at: <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html> [Accessed 16 April 2021].
Engle, M., 2021. Three Vulnerabilities Exposed During SolarWinds Attack & How It Could Have Been Prevented. [online] https://www.cpomagazine.com/. Available at: <https://www.cpomagazine.com/cyber-security/three-vulnerabilities-exposed-during-solarwinds-attack-how-it-could-have-been-prevented/> [Accessed 22 March 2021].
Kritzinger E., von Solms P.S. (2005) Five Non-Technical Pillars of Network Information Security Management. In: Chadwick D., Preneel B. (eds) Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 175. Springer, Boston, MA. https://doi.org/10.1007/0-387-24486-7_21
Kovacs, E., 2020. Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank | SecurityWeek.Com. [online] https://Securityweek.com. Available at: <https://www.securityweek.com/group-behind-solarwinds-hack-bypassed-mfa-access-emails-us-think-tank> [Accessed 16 April 2021].
Ncsc.gov.uk. 2021. Dealing with the SolarWinds Orion compromise. [online] Available at: <https://www.ncsc.gov.uk/guidance/dealing-with-the-solarwinds-orion-compromise> [Accessed 14 April 2021].
Solarwinds.com. 2021. Government Cyber Security Solutions | SolarWinds. [online] Available at: <https://www.solarwinds.com/federal-government/solution/cyber-security> [Accessed 14 April 2021].
