On the 8th December, FireEye, a large player in the cybersecurity world, disclosed that they were hit by a nation state-sponsored attack that they later found was the result of a backdoor in the SolarWinds Orion management and monitoring platform.
We all too often hear during disclosures of the attack being sophisticated, but in a rare occurrence this was indeed both a highly sophisticated and evasive attack. Combined this resulted in a complex supply chain attack, that compromised the supplier in order to target its high profile victims.
It was confirmed that the hacker group managed to steal the red team tools of FireEye’s professional security team, consisting of simple scripts used for automating reconnaissance to entire frameworks that are similar to technologies such as CobaltStrike and Metasploit. It was however confirmed by FireEye that the stolen tools did not contain any zero-day exploits.
Since FireEye’s announcement, there has been a lot of investigation & updates from cyber experts; mitigation techniques and threat advisories are now being released. The advisories from SolarWinds confirmed that the exploits only affect the Orion platform; we strongly advise any SolarWinds customers to review and update their platforms as soon as possible.
We are not going to try and cover the details of this attack here, but instead want to bring together a timeline of posts related to the disclosures, security advisories and recommendations from the multiple experts directly and indirectly associated with investigating the attack.
Unauthorized Access of FireEye Red Team Tools | FireEye Inc
Security Advisory | SolarWinds
Important steps from the Microsoft Blog | Microsoft
Detailed Guidance and recommendations | Microsoft Security Response Center
Emergency Directive 21-01 | cyber.dhs.gov
FireEye, Microsoft create kill switch for SolarWinds backdoor | Bleeping Computer
What you will see throughout the FireEye posts in particular is a great and commendable approach to the disclosure of the attack. FireEye have been clear, open, concise and actively trying to help the public defend against the threats that may result from the theft of their offensive tools.
With the potential for approx. 18,000 impacted customers, and numerous organisations already confirming they are also victims, this story may run for some time, so we will aim to keep this posted updated where possible.
To close, Microsoft's President posted an interesting article giving his account of what has been a challenging year for us all when it comes to cyber security threats.
SUPERNOVA: A Novel .NET Webshell | Palo Alto Networks
Understanding the threat to prevent on-premise to cloud attacks | Microsoft AAD Identity Blog
Advice for incident responders on recovery from systemic identity compromises | Microsoft DART
Summary, background, and guidance resource centre | MSRC
FireEye have released a report with detailed techniques used by the SolarWinds hackers | ZDNet.com
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
