CYBERSECURITY
Is there a trojan on your network? The Solarwinds attack has wreaked havoc across thousands of organisations, writes Planit Software Testing’s Dave Withers APP, and electronic physical security systems are particularly vulnerable to it.
US Government departments are among the 18,000 enterprise customers affected by a serious supply chain attack using the SolarWinds Orion Product. Does anyone you connect your systems to use it?
David Withers APP is a Security Consultant with experience in large CCTV installations. He has also worked for over 20 years in Quality Assurance. As a Shadow Committee member of the ASIS NZ Chapter, David establishes and supports Auckland-based ASIS certification study groups.
28
NZSM
“An Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” read a 05 January joint statement from the FBI, ODI, NSA, and CISA. “At this time, we believe this was, and continues to be, an intelligence gathering effort.” “CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations,” The US Cybersecurity and Infrastructure Security Agency (CISA) recently reported. “An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked.”
The SolarWinds Orion Product is an infrastructure monitoring and management platform designed to simplify IT administration, giving users a single view of the IT Stack. It manages security and is linked to all core IT infrastructure in the organisations that run it. Governments and large enterprises are among its users. Given its deep integration to such organisations, it was the perfect trojan to spread tools for gaining access to systems, including cloud servers, at a wide array of organisations. How did it happen? The initial access to Solarwinds used external remote access services, employing password guessing, password spraying, and the use of insecure administrator credentials. Once the actor had gained access to internal networks or cloud services, it gained administrator rights that allowed it access to all resources (local or cloud). With this access it injected its code into the build systems, leaving the source code untouched. It is known that all patches between March 2019 and December 2020 had the actor’s code attached. Any of the 18,000 customers who applied these patches was then infected with the Sunspot malware, which inserts a Sunburst backdoor code into affected systems.
February/March 2021
