SolarWinds ORION Breach

Credit - Joan Gamell
Credit - Joan Gamell

As we continue to learn more about the recent SolarWinds Orion supply-chain attack conducted by nation-state actors, and subsequent targeting of private and government sector organizations, Critical Path Security felt it imperative to share some guidance on what we are tracking. This guidance reflects information from industry counterparts as well as recommendations derived from internal experience.

At this moment, a little over 18,000 organizations around the world have downloaded network management tools that contain a backdoor built into the SolarWinds Orion product.

The disclosure from Austin, Texas-based SolarWinds, came a day after the US government revealed a major breach hitting federal agencies and private companies. The US Department of Treasury, Commerce, and Homeland Security departments were among the federal agencies on the receiving end of the attacks that provided email and other sensitive information to attackers.

The backdoor infected customers who installed an update from March to June of this year. The backdoor “was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products,” stated SolarWinds.

This is most concerning as SolarWinds typically has very privileged access to critical portions of the network infrastructure. In many ways, you can think of SolarWinds as having the keys to your network, and by having unfettered access you have a key basically to unlock the network infrastructure.

FireEye has made the following statements, “FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via compromised updates to SolarWinds’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly-skilled actor and the operation was conducted with significant operational security.”.

This continues as Microsoft has shared that the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the use of SAML. SAML is the XML-based language that provides a way for identity providers to exchange authentication and authorization data with service providers.

Microsoft has stated:

An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory.

An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.

Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.

Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.

It is fair to reinforce that software-based supply chain attacks are among the hardest to counter because they rely on software that's already trusted and widely distributed. There are several cases over the past decades of multiple successful attacks on the trusted distribution model.

With more than 18,000 various organizations currently assumed as breached by this attack, the ramifications are not yet entirely known. The Department of Homeland Security’s Cybersecurity Infrastructure and Infrastructure Security Agency has issued an emergency directive instructing federal agencies that use SolarWinds products to analyze their networks for signs of compromise.

This problem is compounded when the remediation steps for this issue is to turn off the Orion platform. This effectively means that network operations teams will be flying blind until the issue is resolved, which will likely require a complete rebuild of their SolarWinds environments.

To combat this unanticipated side effect, the Léargas platform can be used to collect and visualize SNMP and other network telemetry data collected from network devices on the network. No specific configuration is required. If the data traverses a network segment where Léargas has been provided visibility, the built-in protocol analyzers will collect and visualize the data and can provide alerts.

Lastly, Critical Path Security has shared Indicators of Compromise (IOCs) and signatures to detect and respond to these events with our customers. If you are a Managed Security or Léargas subscriber, these detections have been deployed to your environment.

In full disclosure, this document contains data collected from various resources and we appreciate the collaboration between our partners in the information security community.