The Server Room Show – Episode 62 – Solarwinds and its aftermath

What is Solarwinds

Solarwinds is a multinational company with over 3000 employees and 300 000 clients worldwide. A major IT firm that provides software for entities ranging from Fortune 500 companies to the US Government.

Solarwinds main product the Orion platform is a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environments in a single pane of glass

https://cdn.vidyard.com/thumbnails/4866758/vgvdv4LwvwYkE9RgpTIXfQ.png
Example Dashboard of SolarWinds Orion platform single pane of glass


The Solarwinds hack and why it is such a big deal ( or is it?)
SUNBURST and SUPERNOVA attacks

SUNBURST

They call it the most serios cyber attack agains an enterprise software giant ever

Reuters first reported that SolarWinds was the subject of a massive cybersecurity attack that spread to the company’s clients.

The breach went undetected for months and could have exposed data in the highest reaches of government including the US military and the White House.

As always US officials thinks it was the Russians behind it
( are not they behind everything?? but do we have enough russians to be behind everything? πŸ™‚ )

Whoever was/were behind this hack were able to use it to spy on private companies like the elite cybersecurity firm FireEye and the US Government including the Department of Homeland Security and Treasury Department.

Earlier in 2020 hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. Solarwinds has 33,000 customers that use Orion

Most software providers regularly send out updates to their systems, whether it’s fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March, SolarWinds unwittingly sent out software updates to its customers that included the hacked code. 

The code created a backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.

The attack used a backdoor in a SolarWinds library; when an update to SolarWinds occurred the malicious attack would go unnoticed due to the trusted certificate. In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of “solarwinds123”, warning that “any hacker could upload malicious [files]” that would then be distributed to SolarWinds customers.

The New York Times reported SolarWinds did not employ a chief information security officer and that employee passwords had been posted on GitHub in 2019 other sources however estimates that the leak through githubs public repo of Solarwinds was going on since 2018 (Leaked ftp credentials & weak ftp password) <<< Security researcher Vinoth Kumar alerted the company in 2019 about the ftp password leak and that anyone could acces SolarWinds update server by using the password “solarwinds123”

On December 15, 2020, SolarWinds reported the breach to the Securities and Exchange Commission. However, SolarWinds continued to distribute malware-infected updates, and did not immediately revoke the compromised digital certificate used to sign them.

On December 16, 2020, German IT news portal Heise.de reported that SolarWinds had for some time been encouraging customers to disable anti-malware tools before installing SolarWinds products.

On December 17, 2020, SolarWinds said they would revoke the compromised certificates by December 21, 2020.

SUPERNOVA

On December 19, 2020, Microsoft said that its investigations into supply chain attacks at SolarWinds had found evidence of an attempted supply chain attack distinct from the attack in which SUNBURST malware was inserted into Orion binaries (see previous section). This second attack has been dubbed SUPERNOVA 

Security researchers from Palo Alto Networks said the SUPERNOVA malware was implemented stealthily. SUPERNOVA comprises a very small number of changes to the Orion source code, implementing a web shell that acts as a remote access tool. The shell is assembled in-memory during SUPERNOVA execution, thus minimizing its forensic footprint.

Unlike SUNBURST, SUPERNOVA does not possess a digital signature. This is among the reasons why it is thought to have originated with a different group than the one responsible for SUNBURST.

Insider trading investigation

SolarWinds’s share price fell 25% within days of the SUNBURST breach becoming public knowledge and 40% within a week. Insiders at the company had sold approximately $280 million in stock shortly before this became publicly known which was months after the attack had started. A spokesperson said that those who sold the stock had not been aware of the breach at the time.

Just the good opportunity for some other companies

Microsoft (Azure) and a Spanish startup called Artica ( sums about 40 workers and around 400 clients) which has its own product in the systems monitoring market. Many of Solarwinds client are looking for alternatives and they want a way out and they are looking at alternative offers like Artica’s monitoring solutions ( a customized Pandora FMS) or trying to avoid a similar issue to happen by moving their infrastructure to the cloud like Microsoft’s Azure.

Probably it offers a great opportunity for many of Solarwinds competitors including OpenNMS who’s founder and CEO Tarus Balog will have a sit down with me and chat amongst other things of this particular event as well on the next episode 63 of The Server Room Show

Examples of BAD Behaviour in the Solarwinds story

  • Weak Passwords Anywhere ( Solarwinds FTP password “solarwinds123” )
  • Telling Your users not to use anti-malware ( Making Solarwinds responsible cause They have adviced so their users)
  • Not listening and following up when security researchers find and tell your company about a vulnerability cause you are too busy and arrogant perhaps?
  • Not revoking compromised certificates inmediatelly
  • Not employing a CISO – Chief Information Security Office in a company of a size and customer base like Solarwinds ( reaching to Fortune 500 and Government entities)

Things to keep in mind

  • Anything can be compromised and nothing is safe as 100%
  • Many times bad security practices help hackers to gain access easier than we would imagine
  • The stuck Your head in the sand approach do not work ever
  • Do not advise something to your clients you might not be doing yourself
Links


https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12
https://www.marketwatch.com/story/microsoft-earnings-the-solarwinds-hack-may-be-a-good-thing-for-azure-11611352122
https://www.newyorker.com/news/daily-comment/after-the-solarwinds-hack-we-have-no-idea-what-cyber-dangers-we-face
https://www.expansion.com/economia-digital/companias/2018/09/21/5ba0b7cbe2704e11b78b457e.html
https://artica.es/en/
https://pandorafms.com/
https://www.cvedetails.com/product-list/vendor_id-1305/Solarwinds.html
https://savebreach.com/solarwinds-exposed-ftp-credentials-back-in-2018-says-security-researcher-vinoth/
https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

Author: viktormadarasz

IT OnSite Analyst for a big multinational company