15 Dec 2020
Every day, the information we learn about the FireEye hack just keeps getting increasingly worse.
Last week we wrote about the hack occurring; yesterday we reported that not only was FireEye impacted, but the US government was, as well… Along with businesses and other governments across the globe; and today, we are starting to understand the full scope of the attack, and it’s not pretty.
In fact, it now appears that around 18.000 entities were victims of this particular attack. As we mentioned yesterday, the hackers were able to worm their way into systems via the Austin, Texas-based software tools provider, SolarWinds. While it has not been 100% proven, it appears that the most likely culprit was Cozy Bear, a Russian Federal Security Service (FSB) hacking group, though they are, not surprisingly, denying any responsibility.
The responsible party, who is clearly extremely sophisticated, utilized a SolarWinds software update to infect selected victims via a backdoor version of SolarWind’s Orion network management tool (which is now being called “Sunburst”). According to a document filed yesterday by SolarWinds, the hackers then used Sunburst to infect customers who installed an update between March to June of this year… which was approximately 18,000 of their 300,000 customers.
Orion was extremely appealing to CozyBear for a multitude of reasons. First of all, the infected tool is widely used and seemingly innocuous, as its job is to manage network devices, like routers, within organizations, many of which are rather large. Additionally, the software is afforded a high level of privilege across multiple networks, so gaining control would be (and was) very advantageous.
According to one of FireEye’s releases on Sunday, there was also a digitally-signed component of the Orion framework containing Sunburst whose job was to communicate directly with any servers that were controlled by the hackers. To make matters worse, Sunburst was written specifically to conceal the identity of the hackers by not only remaining dormant for several weeks but also by blending in seamlessly with actual SolarWinds data traffic.
But that’s not all they did. While Sunburst didn’t give the hackers FULL control over the networks and devices, the access granted was still significant and the cyber criminals were able to leverage additional sophisticated techniques to get even deeper. For example, they were able to steal signing certificates that gave them the ability to mimic the victims’ accounts AND users via the Security Assertion Markup Language (SAML) in order to exchange crucial authentication and authorization information with their service providers.
Unfortunately, attacks on the Supply Chain can be really difficult to mitigate due to their wide reach, and it may be unclear for a while still just how many of the suppliers were attacked. That being said, CISA has released an Emergency Directive to assist companies who fear they may have fallen victim to this attack and FireEye has posted a list of measures you can use to check and see if you have been impacted. This also emphasizes just how important cyber security measures in the supply chain are for our national security and reaffirms the need for such regulations as CMMC and NIST SP 800-171.
As always, if you have concerns of your own, feel free to contact us by calling 919-422-2607, or schedule a free online consulation today. Chances are if you have questions, you’re likely not ready for this kind of attack, and remember – hackers have NO shame.
Stay safe out there.