IT systems the world over rely on trust relationships to assure themselves that all is okay. This weekend has seen another attack on those such trust systems, and this one is shaping up to be something quite big.
Over the weekend, news reports started to filter out of America that several high-profile US organisations had suffered major security incidents.
One of the first of such reports was by Reuters, indicating that the US Treasury and Commerce departments had been breached by suspected Russian hackers. Another report stated that the National Telecommunications and Information Administration agency had also been targeted.
FireEye (yep, the very same FireEye that announced the loss of a number of their Red Team tools last week!) and Microsoft are currently investigating the incident and fear that in the coming weeks, the scale of the attack(s) will grow massively.
According to FireEye, the breach stems from a compromised file in an update to the SolarWinds Orion network monitoring tool.
Reuters reports that Solar Winds has released a press brief that states:
"We are aware of a potential vulnerability which, if present, is currently believed to be related to updates which were released between March 2020 and June 2020 to our Orion monitoring products."
According to the SolarWinds website, their products are in use by over 300,000 customers worldwide, including:
- More than 425 of the US Fortune 500
- All 10 of the top 10 US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide
Looking at some of the named customers, it includes organisations such as:
- NortonLifeLock Inc (Symantec)
- Credit Suisse
- The Bill & Melinda Gates Foundation
- Lockheed Martin
- Level 3 Communications
There are some big hitters in this list that will now have to assume their networks have been compromised until forensic investigations prove otherwise.
How did it happen?
FireEye has announced it appears that a compromised dll file called SolarWinds.Orion.Core.BusinessLayer.dll was included in the aforementioned updates and never raised any alerts because it was digitally signed with appropriate signatures, which meant Microsoft Windows never flagged the file as malicious.
It is this trust that a file is legitimate that has allowed the attackers (suggested to be APT29 – Cozy Bear) to gain such unrestricted access to these networks.
In their report, FireEye revealed that once on a system, the dll remained dormant for 2 weeks – presumably to ensure no other security systems spotted it – before calling out to its C2 controllers to retrieve its instructions.
To further evade suspicion, the software communicated via HTTP to retrieve its jobs that include the ability to:
- transfer data
- execute binaries
- take system profiles
- reboot systems and
- disable system services.
The malware continues to evade detection by masquerading its traffic as official Orion Improvement Program protocol (OIP) and uses blocklists to identify and evade forensic and anti-malware tools.
FireEye stated their initial investigations have identified multiple entities worldwide exhibiting signs of the infected dll. The victims include government, consulting, technology, telecoms and other attractive entities in North America, Europe, Asia and the Middle East.
The depth of the breach(es) has yet to be fully understood but the fact that SolarWinds often runs as admin or root, means most experts suspect it will run very deep within any compromised network.
After leaving a career as a mechanical and electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics, a field he has remained in ever since.
As a natural progression of his career, Mark started to explore the security aspect of his existing competencies and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH, a Certified EC-Council Instructor, and a CISSP.
More articles by Mark
Pi-Hole: The DIY ad-blocker & malware defender all in one box
What is ethical hacking?
Mac attack! Apple malware on the rise
How random is random?
Sometimes an attack might be right in front of your eyes!
Who you gonna call?
Denial of Service attack for iOS devices
Safer Internet Day 2019