Cyber security experts have identified the attack on the SolarWinds Orion network management platform as one of the most serious hacks in US government networks and many large corporate data infrastructures. In the attack uncovered in December 2020, network professionals sought to mitigate the effects of the ubiquitous breach.
The supply chain attack has affected several federal agencies, including ministries of trade, energy and homeland security. News of the hack forced large public corporations, including Cisco Systems and Microsoft, to step up their network analysis activities to identify and mitigate the anomaly before it could disrupt operations.
Shortly after the hack was revealed, SolarWinds announced updates to its Orion platform, which had been hacked by malware called Supernova. According to SolarWinds investigation, the malware could be deployed by exploiting a vulnerability in the Orion platform. Approximately 18,000 customers were affected by the violation. In response to the SolarWinds hack, these companies need to deploy the Orion updates and carefully examine all aspects of their network to determine where the malware may have started.
Supernova Malware Explained
According to a SolarWinds security advisory, “SUPERNOVA is not malicious code. … It is malware that is placed separately on a server that requires unauthorized access to a customer’s network and appears to be part of a SolarWinds product.”
The provider found that the malware consists of two components. “The first was a malicious, unsigned webshell DLL ‘app_web_logoimagehandler.ashx.b6031896.dll’ that was written specifically for use on the SolarWinds Orion platform. The second is to use a vulnerability in the Orion platform to Enable the malicious code to be deployed. “
Investigators investigating the malware attack identified a back door called Sunburst that allowed hackers to get reports of infected computers. The hackers then used this data to target systems they identified for further use.
Investigators found that the backdoor code was similar to another widely used hacking tool called Kazuar. They suspected that Kazuar was used in many previous attacks on public and private organizations, and it may have been a trigger for launching previously dormant malware that resided in targeted systems.
Lessons learned and next steps
The Orion platform is popular and used around the world – and was clearly a target for very experienced hackers. Among the lessons from the SolarWinds hack is that security software is not completely perfect and should be viewed as a potential entry point for cyberattacks.
Another lesson is to maintain a high level of care for all elements of a network infrastructure, especially the perimeter.
Another lesson is to maintain a high level of care for all elements of a network infrastructure, especially the perimeter. Obtaining and using powerful anomaly detection software is also an essential activity and a wise investment.
What can network and security teams do now and in the future in response to the SolarWinds hack? Since both teams need to be aware of this event and be prepared for other incidents, let’s consider a checklist of items. Clearly, the need for both teams to work together is important to prevent and mitigate future attacks.
1. Computers are vulnerable to attack. Regardless of the proactive measures taken to identify, prevent and mitigate cyber attacks, IT infrastructures are still at risk. The optimal network and security situation assumes that an attack takes place and every possible effort is made to prevent it.
2. Security is a cornerstone of corporate culture. Network and information system security starts at the top. Business leaders need to understand, support and support the importance of information security and get this message across across the organization.
3. Identify all entry points into the organization and ensure adequate security. Many access points (APs) are available to experienced and motivated hackers. The use of remote access during the current pandemic has created many additional entry points into a company’s network and information resources. Ensure that all likely and unlikely APs are identified, adequately protected, and regularly monitored for suspicious activity.
4. Network perimeters must be aggressively protected. Use firewalls, intruder detection and prevention systems, and many other services to remove porosity from corporate and personal networks. More importantly, you regularly update the rules and other parameters of these specialized systems to ensure that they are working optimally.
5. Patch regularly and make sure the patches work as indicated. For example, SolarWinds has released several updates to the Orion platform for user patching. An effective patch management process is essential to staying one step ahead of malicious actors.
6. Align network security with physical security. These two measures are closer than some organizations may realize and shouldn’t be in separate silos. Unauthorized physical access to data centers by fraudulent employees, for example, can be just as harmful as a malware attack.
7. Incident response plans and protocols must be in place. These strategies determine how an organization responds to the first discovery of a network security anomaly. They should be documented, regularly reviewed, and tested to ensure that they work when needed.
8. Maintain network security and cybersecurity policies and procedures. Policies determine what happens in relation to the provision of security activities. The procedures determine how an organization should take certain actions in response to most events. Review and update these policies and procedures at least annually, especially as new network or security technology becomes available.
9. Include non-technological initiatives in the security strategy. Cybersecurity insurance is an example of a non-technological resource that is available in the event of an attack. A ransomware attack can affect a company in a number of ways, including financial losses, and it can damage the company’s competitive position and reputation.
10. Ensure that all security and network protection plans are up to date, regularly exercised, and regularly reviewed. It is not enough to just have contingency plans like technology disaster recovery and cybersecurity plans. These key initiatives and related documents need to be reviewed regularly, updated as necessary, and tested and reviewed at least once a year.
In this article, we examined a recent malware attack and its long-term effects. More importantly, we’ve discussed activities that need to be in place to ensure that network perimeters are secure, information systems and data are secure, and that organizations consider network protection and cybersecurity to be business-critical.