John Pescatore - SANS Director of Emerging Security Trends
SolarWinds' Compromised Network Management Software Requires Urgent Action--Even If You Aren't Using SolarWinds
This week's Drilldown will focus on one item (included below) from NewsBites Issue 97, which summarized FireEye's disclosure that its systems had been penetrated by attackers, likely Russian government sponsored. Over the weekend, after NewsBites 97 was published, additional information came out that SolarWinds' widely used Orion network management software had been compromised between March and May of 2020 and more than 18,000 organizations using that software were potentially at serious risk.
SANS, FireEye, Microsoft and others have put out detailed information on the SolarWinds compromise, and tools and techniques for assessment, mitigation and restoration:
- SANS - https://sansurl.com/solarwinds
- FireEye - https://github.com/fireeye/sunburst_countermeasures/blob/main/signature_table_of_contents.csv
- Microsoft - https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- DHS CISA - https://cyber.dhs.gov/ed/21-01/
Those sources will be updated with the latest information and guidance.
The only additional point I will make in this Drilldown: Even if you are not using SolarWinds' compromised software, if you are using any network or IT management software, you should immediately review the security of the configuration and perform threat hunting to make sure you don't have either a vulnerable or an already-compromised installation.
Network management systems by their very nature are highly intrusive, highly privileged applications. They have long been a target of attackers, and unfortunately SolarWinds was breached. However, that does not mean that only SolarWinds was targeted and compromised. Products from Broadcom, Cisco, Dynatrace, New Relic, Riverbed and others are also widely used and were also potentially targeted.
This has been called a "supply chain attack" because SolarWinds has stated that its software build process was compromised. The broader issue is that enterprises need to push stronger security assessment requirements on all software vendors, but especially when procuring applications that will have highly privileged access.
The U.S. Department of Defense has been moving toward requiring all contractors and vendors to obtain Cybersecurity Maturity Model Certification (CMMC). While over time this will likely also require continuous monitoring feeds from high sensitivity suppliers, CMMC will issue three-year certifications that will not be meaningful against rapidly evolving sophisticated attacks.
Bottom line: Enterprise should routinely require all software vendors to provide evidence of software vulnerability testing of all software releases. Applications providing highly privileged access should be subject to high levels of monitoring and regular threat/compromise investigations.
FireEye Discloses Theft of Red Team Tools
(December 8 and 9, 2020)
FireEye has acknowledged that it was attacked by a highly sophisticated threat actor, one whose discipline, operational security and techniques lead us to believe it was a state-sponsored attack. The attacker appears to have accessed FireEye Red Team Tools, which the company uses to assess the security of customers' systems. FireEye is investigating the incident in cooperation with the FBI, Microsoft and other key partners.
[Pescatore] FireEye's CEO blog post and press release focus on the sophistication of the threat actors and point to great information for detecting the use of the stolen tools, but offer no lessons learned on what vulnerabilities were exploited or what mistakes FireEye made that enabled the attacks to succeed. Putting that out for public consumption obviously carries risk. I hope FireEye is providing those lessons learned via trusted channels.
[Paller] Security organizations are under constant attack. Once in a while the attacker wins. This happened twice to us at SANS, 23 years ago and in 2020. As John Pescatore notes, (in addition to finding ways to block the specific intrusion vector and to correct systemic flaw[s] it uncovered) security organizations have a unique and important obligation to share the lessons learned, broadly and quickly.
Read more in:
FireEye: FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
Vice: One of The Biggest Cybersecurity Companies In The World Just Got Hacked
Dark Reading: Nation-State Hackers Breached FireEye, Stole Its Red Team Tools
ZDNet: FireEye, one of the world's largest security firms, discloses security breach
The Register: Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools
Wired: Russia's FireEye Hack Is a Statement--but Not a Catastrophe
SC Magazine: FireEye hacked, red team tools stolen
Ars Technica: Premiere security firm FireEye says it was breached by nation-state hackers
Threatpost: FireEye Cyberattack Compromises Red-Team Security Tools
Bleeping Computer: FireEye reveals that it was hacked by a nation state APT group