SolarWinds Orion is an infrastructure monitoring and management platform designed to simplify IT administration through a single view of the IT stack. It also manages security and is linked to all core IT infrastructure in an organisation running it.
Orion was a safe and secure product that was used by over 18,000 users at governments and large enterprises. That was, until it was breached and misappropriated by hackers.
What happened?
The initial access to SolarWinds used external remote access services with a combination of password guessing and spraying, and insecure administrator credentials.
Once they gained access to the internal networks or Cloud services, hackers had administrator rights that allowed them access to all local and Cloud resources. With this access, they injected their code into the build systems, leaving the source code untouched.
Any one of the 18,000 users who applied these patches was then infected with the Sunspot malware, which inserted the Sunburst backdoor code into affected systems. It is known that all patches between March 2019 and December 2020 had the actors’ code attached.
Its sophisticated design made it very hard to detect. Since Orion is a security product, it was also not scanned by malware checkers due to false positives.
A joint statement from FBI, ODI, NSA, and CISA said that Russia was likely responsible for the attack. It was also believed to be an “intelligence gathering effort”.
The larger implications
Digital security systems are particularly vulnerable to this type of attack. This is because they use the IT infrastructure to link monitoring and management tools to CCTV, and access control infrastructure in the facilities.
Given the nature of the infrastructure used, it is common that:
- Systems are installed to stay in place for decades.
- Allow access to business networks.
- Security on devices is typically weak (i.e. default or shared passwords between devices, no 2FA, etc.).
- They get infrequent patching once installed, if ever.
When you consider all of these weaknesses, any part of a physical security network could be infected with a trojan or malware without anyone’s knowledge. This network is then typically monitored by tools like SolarWinds.
As the SolarWinds attack demonstrated, the ability to go detected enables malware to burrow deeper into a network and cause more damage. When you add poor security practices to the mix, it creates a perfect vector for such an attack.
A valuable lesson
The attack on SolarWinds highlights how security has to be part of IT design and not an afterthought. Constant vigilance is also required to stay safe.
Don’t wait until your network is breached to start protecting yourself. Find out how our 5 day penetration testing package can help you uncover vulnerabilities and safeguard against these threats for as little as $9,000 + GST.