I thought this Christmas would be quiet, with a year like 2020 with so much uncertainty and change in the world, we couldn't leave Christmas without some adrenaline. Since last week on or about December 8 FireEye, a leading cybersecurity company, was attacked, and their response to the incident has been an example of care, response and collaboration plans around the world, see FireEyes post here.
This shows us once again that we do not have a capability to deal with all attacks, that we must improve our capabilities in the face of managing the unknown and uncertainty, no matter how skilled in CyberSecurity we may be.
In this blog we are going to share a bit of insight with the little information that has been shared so far, trying to understand what worked and what went wrong.
The attack carrier used is the big novelty, although it has been a concern of the cybersecurity industry for many years, the relationship with third parties and vendor management has always been part of standards and best practices.
Actually, what happened is that the companies affected in this operation installed software containing malicious code, which allowed the attackers to take remote control of the computers where the software was installed.
Up to this point the operation does not look so sophisticated, but the tricky part begins: the software used to reach these accounts is a network management software (NMS), the manufacturer Solarwinds, who has a significant deployment reaching more than 300,000 customers. The software was signed and published in its source repository for software download, so we can easily intuit that the attackers managed to introduce the malicious code via version control tools or by the developers themselves.
The expected response from Solarwinds should be on par with that of FireEye, but we were left with a bitter taste that the investigations have not been that deep so far. I am not going to analyze the response in depth, but I am sharing it with you for reference.
There is a reason for focusing efforts on accessing an organization through NMS software. This type of solutions have access to the largest amount of services in the network, because they monitor the availability of services through passive and active monitoring. Although in secure network architectures, they are separated into particular security zones, their bidirectional access and communication make them the best place to perform a lateral movement in an attack.
I will summarize the attack up to this point and conclude for each player the things that worked and the things that failed.
Supplier |
Attacked |
|
Controls |
Detection: The Detection Capabilities were successful in identifying the operation. |
|
Vulnerabilities |
Source Code Protection: There are no tamperproof controls of code and the changes were accepted without realizing that there were unauthorized pieces of software. Secure Software Release Process: No additional code validations were performed prior to releasing the authorized software. |
Installation of Authorized Software: Within the installation process of authorized software, it does not include evaluations of the software in order to understand its behavior Network Architecture: Communication to outside monitoring networks or servers should not be accepted per definition. |
Who is behind the attacker?
The operation has already been linked to the Cozy Bear group. Below is a description of this group.
There is talk of an espionage operation between countries. The APT29 group is providing this operation for the government of the Russian Federation, whose scope and motivators are still unknown, but so far not only FireEye has been affected by the operation, already Microsoft reported being affected and also several government entities. This is just the beginning!
From our CSVD® (Center for Security and Digital Surveillance) we have shared Security Intelligence in more detail to address this threat.