In this webinar we explain why the SolarWinds attack is different from all known scenarios and how to protect your company or manufacturing site from it. Act fast, be aware!
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
1. SolarWinds supply chain attack: why we should take
it seriously
Analysis, discussion and mitigation
By Patrick Coomans (Agoria, Sirris) and Tatiana Galibus (Sirris)
3. The story of SunBurst: global intrusion campaign
▪ When? we can trace up to October
2019-June 2020, detected in
December.
▪ How? SolarWinds, Orion IT
management software, normal
update
▪ Who is affected? 18 000
companies affected, government,
consulting, technology, telecom
and extractive entities in North
America, Europe, Asia and the
Middle East.
▪ …and Belgium too
▪ What can it do? Surveillance and
execute random code
4. 3 key takeaways
➢Is it possible to keep track of new
attack types?
➢How to provide supply chain
security?
➢Why it is crucial to keep the logs and
info for a long time?
5. How does it work?
▪ Source code was modified and the style
was mimicked
▪ SUNSPOT is used to insert the
SUNBURST backdoor into the Orion
build through hijacking
MsBuild.exe process.
▪ Target source code is modified before it
has been read by the compiler.
▪ Hides by obfuscation
▪ SolarWinds.Orion.Core.BusinessLayer.dll
is a malware base
▪ DNS beaconing to Command and
Control
7. How to detect it? FireEye recommendations
❖ Yara rules to detect TEARDROP
❖ querying internet-wide scan data
sources for an organization’s
hostnames
❖ impossible rate of travel if a
compromised account is being used
❖ LogonTracker module to graph all
logon activity
❖ monitor existing scheduled tasks for
temporary updates
Stellar particle
8. Official recommendations:
https://www.solarwinds.com/securityadvisory
➢ Versions affected:
Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, version 2020.2.5300.12432
Orion Platform 2020.2 HF1, version 2020.2.5300.12432
➢ Incidents with abuse of Security Assertion Markup Language (SAML)
tokens consistent with attack and no SolarWinds instances. Follow-up
the updates!
➢ If SAML abuse is identified, simply mitigating individual issues,
systems, servers, accounts will not lead to the adversary’s removal
from the network. In such cases, organizations should consider the
entire identity trust store as compromised.
9. Tools to identify infiltration: https://us-cert.cisa.gov/ncas/alerts/aa20-352a
• Sparrow.ps1 to help detect possible compromised accounts and applications
in the Azure/M365 environment. Sparrow focuses on the identity- and
authentication-based attacks
https://github.com/cisagov/Sparrow.
• Impossible logins, Long SAML token validity, same creation and use
timestamp, tokens with missing MFA details
• Check the public list of Indicators of compromise (malicious domain, IPv4 or
hash)
10. Immediate mitigations
▪ utilize Orion Platform release 2020.2.1 HF 1
▪ Ensure that SolarWinds servers are isolated / contained
▪ If SolarWinds infrastructure is not isolated, restrict scope of
connectivity and admin accounts, block outcoming traffic for
endpoints with SolarWinds software.
▪ Consider (at a minimum) changing passwords for accounts that
have access to SolarWinds servers / infrastructure.
▪ Consider a review of network configurations if Orion
management software was used.
▪ Review federation trusts & OAuth application & service principal
credentials: https://msrc-
blog.microsoft.com/2020/12/13/customer-guidance-on-
recent-nation-state-cyber-attacks/
11. Lessons learnt
▪ Diligently performing updates
improves security? Not always!
▪ The most high-profile victim
is the US government: no one
is protected from highly
sophisticated attack
▪ One of the biggest ever cyber-
attacks: removing is highly
complex and challenging
▪ Be aware, stay informed, keep
the logs
22. How Sirris/Agoria can help you?
Contact us for a free 1hr intake
Opt for a collective workshop to
strengthen solid foundations.
Choose 1 or 2-day orienting advise in
order to take advantage of our expertise
combining both manufacturing and IT
technology
Are you protected or dangerously
exposed?
23. Roadmap to cyber security
Free 1hr
intake
Collective
initiatives
Master
class
Learning
network
Orienting
advise
Maturity
level
Security
scan
Action
plan
24. Upcoming events: Sirris+Agoria
▪ Master Class Cyber Security in 30 Steps Jan, 20th, 2021
▪ Internal IT Security, Basic Cyber Resilience, Cyber Hygiene
▪ Kick-off 20/01, then 3 sessions on 27/01, 10/02 and 10/03.
▪ Master Class Security for Digital Service Builders Jan, 26th and Feb, 2nd 2021
▪ DevSecOps, AppSec, OWASP, security pipeline
▪ 2 half-days, 8:30-12:00
▪ Learning Network Security in Manufacturing Q2 2021
▪ Demand-driven topics: anomalities in OT, changing perception of security as cost
▪ Webinar: Trusted Mobile Apps Feb 2021
▪ Webinar: OT security in Manufacturing Feb 2021
▪ Webinar: Cyber security in digital services, March 2021
▪ Thematic Event: CS meets Manufacturing Q1,2021