We were supposed to be winding down for the holidays. Then again, maybe we suspected that 2020 had one last gut-punch for us. Thanks, ‘SUNBURST’.
‘SUNBURST’ is what FireEye is calling the recent cybersecurity attack that has government agencies scrambling, carried out by an unidentified agent FireEye refers to as ‘UNC2452’. FireEye, with barely contained awe, have described what they’ve uncovered as “...some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust.” Read the full blog post here, and find FireEye’s GitHub repository on detection and neutralization here. FireEye’s transparency and urgency in sharing what they’d discovered has earned plaudits in the cybersecurity community.
FireEye was the first company to detect a compromise in their own system. Once they’d identified the source as a SolarWinds software update, it became clear that this was a big one. Why? Because that same SolarWinds software update went out to hundreds of thousands of customers—including many top US federal agencies.
It’s a nefarious, evil-genius level attack. While gaining access through a classic Trojan Horse approach, the attackers were subtle, sitting within the tech stack and taking their time to learn what credentials were needed to access critical information. Once they’d identified targets and how to access them, they struck, using only the operations that enabled access to function in the first place. It’s ‘the butler did it’, except that the butler was possessed.
FireEye has characterized this attack as a problem in the Software Supply Chain (SSC). I’ve written about this problem previously with regards to open source software, but SaaS sprawl is turning this into a bigger issue. SolarWinds provides broad IT management software—the perfect tools for discovering access credentials. IT has to match its security and risk management in line with every new vendor that makes up that SaaS ecosystem—is each vendor doing everything they can to detect and treat vulnerabilities? Do you trust that new update? (Speaking of which, SolarWinds is urging customers to install their latest, presumably safe, update for the compromised Orion Platform software.)
In some ways, Christmas has come early for cybersecurity SaaS. Vendors are filling blog posts with all the ‘lessons learned’ which, strangely enough, are usually resolved by purchasing that vendor's particular threat detection tools. Paranoia pays, especially when that paranoia is justified.
What will this mean for cybersecurity in 2021? Will zero-trust finally rise to prominence? Do we need more AI/ML tools to detect those subtle differences in malicious behaviors that mimic normal protocols? One of the scarier aspects of the FireEye hack is that penetration test tools were stolen. If the enemy knows how we fight it, innovation may be key.
As details of the attack continue to accumulate like all those holiday chocolates, one thing’s for sure: this won’t be the last we hear of the SolarWinds breach this season.