GreenPages Blog

As an IT professional, you need to stay current on all things tech; with articles from industry experts and GreenPages' staff, you get the info you need to help your organization compete and succeed!

The SolarWinds Saga Continues: Microsoft Estimates 1000 Developers Rewrote Code for the Attack

Posted by: Randy Becker
Read More
All Posts

The SolarWinds Saga Continues: Microsoft Estimates 1000 Developers Rewrote Code for the Attack

By Randy Becker, CISO & VP, Network and Security Consulting

SolarWinds, Solorigate, Sunburst, Teardrop, Sunspot, Raindrop… will it ever end? (Check out Microsoft’s deep dive for a comprehensive summary.) The breach was even the lead story on 60-Minutes with Microsoft President Brad Smith and FireEye CEO Kevin Mandia interviewed.


In particular, Brad Smith gave some eye-opening statements communicating the sheer scale of the breach:

“I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”

Smith also said Microsoft hired 500 engineers to dig into the attack. They estimate over 1,000 engineers/developers/“hackers” worked on this attack. Where do you find 1,000 hackers!? 4000 plus lines of code were added to the application without detection. The methods used to pull this off were ingenious.

He also said the supply chain attack "exposes the secrets potentially of the United States and other governments as well as private companies. I don't think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands."

Does our current cybersecurity strategy need to change? Are we doing enough to protect our critical infrastructure? What is next? Is there anything we can do?

FireEye was the first company to detect this supply chain attack after the breach and their intellectual property was stolen for performing red team penetration testing—the information was first shared on 12/8/2020.

This will not be the last of these types of attacks and a lot of the recommendations made to secure and harden an environment that uses SolarWinds can apply to organizations that use any type of monitoring and management tools. SolarWinds Orion was strategically chosen because of the type of application it is, the type of access it has to critical systems on the network, and its large customer footprint. The same thing could happen to any application of this nature.

CISA continues to update through Alert AA20-352A https://us-cert.cisa.gov/ncas/alerts/aa20-352a, which was last revised on 2/8/2021. Any IT or security professional should thoroughly review the Alert, especially the Mitigations section; it provides lots of recommendations that anyone can implement to further harden and protect their environment. Being able to see exactly what is being exploited gives you an opportunity to be proactive.

Here is another great (detailed!) blog from Microsoft that provides guidance for incident responders on recovery from systemic identity compromises. It also includes IOCs on how to harden your infrastructure and begin to recover from this attack, along with lessons learned from incident response for on-premises and cloud environments.

As always, if you have any questions or need help securing your business, please reach out to your GreenPages Account Executive or contact us.


Randy Becker 2

Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation.

 

Comments

Related Posts

Tech News Recap for the Week of 05/03/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 05/03/21!

Dell High Severity 12-Year-Old Vulnerability Leaves Hundreds of Millions of Systems Exposed.

By Randy Becker, VP & Principal Security Architect On May 4, 2021, SentinelLabs posted that they had discovered five Dell security bugs collectively tracked as CVE-2021-21551. This local privilege-escalation (LPE) has a CVSS vulnerability-severity rating of 8.8 out of 10. SentinelLabs proactively reported their findings to Dell on Dec 1, 2020. These five high-severity security vulnerabilities in Dell’s firmware update driver have the potential to impact hundreds of millions of Dell desktops, laptops, notebooks, and tablets.

Tech News Recap for the Week of 04/26/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 04/26/21!