What really happened in the SolarWinds cyber-attack?

 


The SolarWinds cyber-attack has been given many adjectives – historic, unprecedented, massive and sophisticated to name a few. What makes this attack unlike any other we’ve seen in recent times is the fact that it was a supply chain attack of indescribable sophistication. 

Criminals managed to compromise the update process of SolarWinds’ Orion software. Being a supply-chain attack meant that by infiltrating the network of one service provider (in this case SolarWinds), hackers managed to compromise the systems of all its clients, impacting over 18,000 organizations, including some top tier cybersecurity companies, global giants like Microsoft, Cisco, many US government Agencies, EU institutions and more.

In line with its commitment to educate and empower the cybersecurity community with continuous knowledge and thought leadership, Cyber Management Alliance has launched a massive educational campaign on the SolarWinds cyber-attack.

As part of this educational campaign, we have created one of the most comprehensive SolarWinds cyber-attack timelines capturing the chronology of the SolarWinds breach. Complementing the timeline, is a series of webinars, where our CEO and Co-Founder, Amar Singh will discuss the attack methodology, how the attack was discovered, what the gaps were, with other industry experts.

The first of this series of webinars took place recently and can be viewed on our BrightTALK channel here. Entitled, “What Really Happened in the SolarWinds Cyber-Attack?” Amar Singh engaged in conversation with Senior Threat Hunter from IronNet, Joel Bork. Joel and his team were instrumental in detecting the early signs of the attack. In this exciting webinar, Joel discusses how his team actually figured out that something was not right and sheds light on the hackers’ advanced techniques.    

Some of the evasion techniques that worked for them, as explained by Joel in the webinar, were the following:

  • The Sunburst certificate was properly signed, and the domain was registered a year before - leaving no reason for anyone to doubt it.
  •  The cyber criminals disabled logging every time they injected the DLL and then re-enabled logging again. Unless someone was actively looking for an intrusion of this sophistication, there was no obvious evidence of the DLL being injected.
  • The DLL made sure it had not been changed.
  •  It was also ensured that it was not executed at SolarWinds, in a Sandbox, by security tools. This is critical because if security analysts are looking at this DLL, they are going to do so in a Sandbox. So, the DLL was actually able to evade execution in a sandbox. That’s how sophisticated the attack was. It was able to avoid detection at every level.     
  • The DLL was also able to execute at random times, up to two weeks after restart.
  • It had a full process list which allowed it to check for endpoint security tools and installed drivers and kill them, successfully evading all EDR capabilities.


Comments

Post a Comment

Popular posts from this blog

Credit Card Payment Fraud & How to Avoid Theft

Image
Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a  primary target for cybercriminals . By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD from fraud and theft. What is payment card fraud and why is card information so valuable? Payment card fraud, also known as credit card fraud, is defined as the unauthorized use of a credit card, debit card, or similar payment tool. Cybercriminals often fraudulently utilize payment data to steal money or property from their
Read more

Internet Safety Rules

Image
  Most of us rely heavily on the internet to enjoy social media, online education, remote work, and all sorts of entertainment. So, CYBERCLICK is sharing some information about " Internet Safety Rules " .   Rules To Be Followed: 1.  Keep your confidential data offline Identity theft cases made up the biggest single category of  crimes reported to the FTC in 2020 .     But cybercriminals cannot access or steal your personal information if it’s nowhere to be found on the internet.     That’s why some data — such as your Social Security Number — should just never go online. However, when you still have to share it, be sure to send it as an email attachment and   encrypt the file   before sending.   2. Check a website’s reliability As of January 17, 2021,  Google had registered more than 2 million phishing sites . But how do you tell a reliable site from a fishy one? First, look at the address line: It should have a little padlock at the beginning — this means the connection is
Read more

Spam and Phishing

Image
  Malicious Email A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency or any other service or business. It often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address. If you are unsure whether an email request is legitimate, try to verify it with these steps: Contact the company directly – using information provided on an account statement  on the company’s official website or on the back of a credit card. Search for the company online – but not with information provided in the email. Spam Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. Here are ways to reduce spam: Enable filters on your email programs:  Most internet service providers (ISPs) and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It’
Read more