IT systems the world over rely on trust relationships to assure themselves that all is okay. This weekend has seen another attack on those such trust systems, and this one is shaping up to be something quite big.
Over the weekend, news reports started to filter out of America that several high-profile US organisations had suffered major security incidents.
One of the first of such reports was by Reuters, indicating that the US Treasury and Commerce departments had been breached by suspected Russian hackers. Another report stated that the National Telecommunications and Information Administration agency had also been targeted.
FireEye (yep, the very same FireEye that announced the loss of a number of their Red Team tools last week!) and Microsoft are currently investigating the incident and fear that in the coming weeks, the scale of the attack(s) will grow massively.
According to FireEye, the breach stems from a compromised file in an update to the SolarWinds Orion network monitoring tool.
Reuters reports that Solar Winds has released a press brief that states:
"We are aware of a potential vulnerability which, if present, is currently believed to be related to updates which were released between March 2020 and June 2020 to our Orion monitoring products."
According to the SolarWinds website, their products are in use by over 300,000 customers worldwide, including:
- More than 425 of the US Fortune 500
- All 10 of the top 10 US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide
Looking at some of the named customers, it includes organisations such as:
- NortonLifeLock Inc (Symantec)
- Credit Suisse
- The Bill & Melinda Gates Foundation
- Lockheed Martin
- Level 3 Communications
There are some big hitters in this list that will now have to assume their networks have been compromised until forensic investigations prove otherwise.
How did it happen?
FireEye has announced it appears that a compromised dll file called SolarWinds.Orion.Core.BusinessLayer.dll was included in the aforementioned updates and never raised any alerts because it was digitally signed with appropriate signatures, which meant Microsoft Windows never flagged the file as malicious.
It is this trust that a file is legitimate that has allowed the attackers (suggested to be APT29 – Cozy Bear) to gain such unrestricted access to these networks.
In their report, FireEye revealed that once on a system, the dll remained dormant for 2 weeks – presumably to ensure no other security systems spotted it – before calling out to its C2 controllers to retrieve its instructions.
To further evade suspicion, the software communicated via HTTP to retrieve its jobs that include the ability to:
- transfer data
- execute binaries
- take system profiles
- reboot systems and
- disable system services.
The malware continues to evade detection by masquerading its traffic as official Orion Improvement Program protocol (OIP) and uses blocklists to identify and evade forensic and anti-malware tools.
FireEye stated their initial investigations have identified multiple entities worldwide exhibiting signs of the infected dll. The victims include government, consulting, technology, telecoms and other attractive entities in North America, Europe, Asia and the Middle East.
The depth of the breach(es) has yet to be fully understood but the fact that SolarWinds often runs as admin or root, means most experts suspect it will run very deep within any compromised network.
Mark AmoryMark Amory has been specialising in cyber security training for 15 years and is the author of several of QA's cyber security courses, as well as the 2017 NCSC CyberFirst Academy.
More articles by Mark