Solarwinds hack explained.

2020-2021 Solarwinds hack explained in details by a software engineer.

According to The Hill, President Biden said Thursday, February 4, 2021, that his administration is launching an “urgent initiative” to improve the nation’s cybersecurity, pointing to concerns around malign efforts by Russia and China. On December 13, 2020, Reuters broke the story that the Treasury Department has been compromised by sophisticated hackers, and afterwords numerous organize confirm the story. Washington Post attributed hack to cozy bear (Russian SVR). To understand Solarwinds hack, first need to understand what Solarwinds does.

What Solarwinds does?

Solarwinds is a software company which has numerous software offering for systems managements. These software programs are primarily managed by IT professionals at large institutions.

What Solarwinds Oroin NMS does?

Orion NMS (Network Management Systems) is the most popular software of Solarwinds and has capabilities of managing and monitoring a wide variety of devices such as servers, desktop, laptop, network devices etc.

Who uses Solarwinds?

The Company has 300,000+ customers worldwide, including 425 of US Fortune 500 companies.

How hacker compromises Solarwinds systems? And Why Solarwinds hack spread for so long without detection?

Since Solarwinds NMS has access to so many devices in an institution and so many institutions use Solarwinds NMS, it becomes a prime target of hackers.

NMS are run on two modes. First is monitoring and second is monitoring/managing. Many of the systems are configured to do both. So if NMS compromised, attacker can do what NMS can do.

According to SEC filling by Solarwinds, hackers infiltrated as early as March 2020, and It took almost 9 months to detect the first instance of hack, so why it took so long to figure out even tough 425 out of Fortunes 500 companies were using it.

Hacker compromise build server of Solarwinds and added malware(named sunburst) to existing software during build process and signed with Solarwinds digital signature. As once software signed by official signature, many of the anti-malware and anti-virus software accept that software behavior as normal, As anti-malware and anti-virus companies don’t know Solarwinds signature has been compromised. This is still evolving situation and some argue only build process was compromise. (But anyhow digital signature became useless).

Sophistication does not stop here. Malware was written in away, so it will stay dormant for first 15 days or so anti-malware and anti-virus can’t associate changes in network pattern to change in Solarwinds software version.

Not just that, Hackers make sure that sunburst maleware’s outgoing traffic look very similar to typical Solarwinds traffic. It seems like the hackers’ goal was to stay in the infected systems as long as possible.

The story gets even crazy, before executing sunburst malware, hacker will make sure it is not private IP or Microsoft IP ranges as it seems like hackers were aware that Microsoft has capabilities to capture this kind of activity, so hackers make sure malware does not connect to Microsoft IP. Kudos to Microsoft.

What can you do to protect your institute against Solarwinds hack?

The situation is still evolving so the current best solution is to work with Solarwinds help desk to resolve the threat. You can get the latest information through twitter hashtag:

  1. #SolarWinds
  2. #SolarWindsOrion
  3. #UNC2542
  4. #APT29
  5. #CozyBear
  6. #SunBurst

DHS Guidelines against Solarwinds hack

The Department of Homeland Security (DHS) has also issued guidelines. Here is a summary of what DHS guidelines

  1. Make image of memory and OS of all instance which are hosting Solarwinds Orion NMS
  2. Analyze unusual activity like new users, service/app account and privileges.
  3. Analyze unusual traffic like new external DNS and other indications of compromise.
  4. Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Future communication from CISA will clarify which version to install and how to obtain securely.
  5. Block all traffic from and to hosts, external to enterprise where Solarwinds Orion was installed.
  6. Identify and remove all threat actor-controlled accounts
  7. After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed:
    1. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
    2. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
    3. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
    4. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks.

My 2cents

  1. Assume all Solarwinds Orion is compromise (even releases before March), so contentiously monitor till proven otherwise.
  2. Block Internet traffic to as many servers as you can.
  3. If you are paranoid, and you have the right to be paranoid even after applying Solarwinds patch. There is possibility that hackers could have created an additional backdoor, so the nuclear option is to rebuild your most critical servers from scratch using NIST-850 and CIS benchmark in a separate network.

What can you do to protect YOURSELF against Solarwinds hack?

This particular security issue is affecting more to the large institution than an individual, but see “General Security Recommendation” section of the articles.

General Security Recommendation.

  1. Don’t give any user or application more access than it needs.
  2. Always use SSL or tunnel even if you are inside secure VPN to avoid man in middle attack.
  3. Always use DNS over SSL to avoid man in middle attack.
  4. Know what is the most important data/intellectual properties (IP) you have. Have it in a separate network than the rest of the network
  5. Only install what you really need.
  6. Have outbound firewall as well inbound firewall especially for your critical data/intellectual properties (IP).
  7. Have additional layers of firewall for your important data/ intellectual properties (IP) which is not controlled by the same user or app.
  8. Don’t use same password again
  9. Have 2-factor authentication.
  10. Use CIS Benchmark
  11. Use NIST-850 or alike policy
  12. At some level CyberSecurity is a cat and mouse game, so subscribe to a security threat mailing list like CISA

This list no way complete, but just the beginning.

About Me

I am a Lead Software Engineer at University of Kansas Medical Center, you can read more bout at my homepage.

Subscribe Now!

                                                                                                                            

Further reading for Solarwinds hack

  • The Massive SolarWinds Hack Explained in Context

Disclosures: This article is my own opinion for entertainment and educational purposes only, and it could be inaccurate as any other human can have. This articles ideas are not represented by my current or past employers.

38 thoughts on “2020-2021 Solarwinds hack explained in details by a software engineer.

  1. Parshottambhai Baldevdas Patel

    Lucid
    Easy to understand and implement
    Great efforts.
    Focus on a very important issue.
    Hope your deep knowledge be used again and again on such important Issues

    Reply
  2. Holly

    I’m not positive where you are getting your information, but great topic.

    I needs to spend a while finding out more or working
    out more. Thank you for great information I used to be in search of this info
    for my mission.

    Here is my page Learn Software Engineering

    Reply
  3. Jeff

    Thank you for this very good posts. I was wanting to know whether you were planning of publishing similar posts to this.
    Keep up writing superb content articles!

    My weeb page – car donation tax

    Reply
  4. Running

    Good blog! I really love how it is simple on my eyes and the data are well written. I’m wondering how I could be notified when a new post has been made. I have subscribed to your feed which must do the trick! Have a great day!

    Reply
  5. Black Hairstyles

    Thank you, I have just been searching for info approximately this topic for a long time and yours is the best I have found out so far. But, what concerning the conclusion? Are you positive concerning the source?

    Reply
  6. Yvonne

    I always spent my half an hour to read this
    weblog’s articles daily along with a cup of coffee.
    0mniartist asmr

    Reply
  7. Henrietta

    Hello, after reading this amazing piece of writing i am
    also delighted to share my knowledge here with friends.
    0mniartist asmr

    Reply
  8. Joann

    This is a topic that’s close to my heart… Take care!
    Exactly where are your contact details though? asmr 0mniartist

    Reply
  9. Aleisha

    Have you ever considered writing an e-book or guest authoring on other
    sites? I have a blog centered on the same subjects you discuss and would love
    to have you share some stories/information. I know my viewers would value your work.
    If you are even remotely interested, feel free to
    send me an e-mail. asmr 0mniartist

    Reply
  10. Bernadine

    You made some good points there. I looked on the internet for more info about the issue and found most
    individuals will go along with your views on this web site.

    my homepage: Berniece

    Reply
  11. Vaughn

    Hello, its pleasant piece of writing on the topic of media print, we
    all understand media is a fantastic source of information.

    Feel free to surf to my blog … Kraig

    Reply
  12. Ekonomia Portal

    I like how you manage to communicate your opinion effectively while keeping the content simple to understand for anyone regardless of his knowledge on the subject.

    Reply
  13. Crave Freebies

    Well I truly enjoyed reading it. This article procured by you is very effective for proper planning.

    Reply
  14. Freebies

    Does your site have a contact page? I’m having a tough time locating it but, I’d like to send you an email. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it grow over time.

    Reply
  15. Fashion Styles

    Everyone loves what you guys are usually up too. Such clever work and coverage! Keep up the amazing works guys I’ve added you guys to my own blogroll.

    Reply
  16. Alana

    Nice post. I learn something new and challenging
    on websites I stumbleupon every day. It’s always helpful to
    read content from other authors and practice a little something from their web sites.

    Here is my webpage; CNC routing speaker sides

    Reply
  17. Hairstyles Vip

    Of course, what a magnificent blog and informative posts, I definitely will bookmark your blog.All the Best!

    Reply
  18. Crave Freebies

    Oh my goodness! an incredible article dude. Thanks Nonetheless I am experiencing subject with ur rss . Don抰 know why Unable to subscribe to it. Is there anybody getting identical rss problem? Anybody who is aware of kindly respond. Thnkx

    Reply
  19. Crave Freebies

    It抯 really a cool and helpful piece of info. I am satisfied that you just shared this helpful info with us. Please keep us up to date like this. Thanks for sharing.

    Reply
  20. Fashion Styles

    Wonderful work! That is the type of information that should be shared around the net. Disgrace on the search engines for not positioning this publish higher! Come on over and talk over with my site . Thanks =)

    Reply
  21. Freebies

    It抯 really a cool and helpful piece of information. I am glad that you just shared this helpful info with us. Please keep us up to date like this. Thank you for sharing.

    Reply
  22. I Fashion Styles

    You could certainly see your expertise in the work you write. The world hopes for more passionate writers like you who aren’t afraid to say how they believe. Always follow your heart.

    Reply
  23. Hairstyles Vip

    Very well written post. It will be helpful to everyone who usess it, as well as myself. Keep up the good work – i will definitely read more posts.

    Reply
  24. I Fashion Styles

    Great post. I was checking constantly this blog and I’m impressed! Very helpful information particularly the last part 🙂 I care for such info much. I was looking for this certain information for a very long time. Thank you and best of luck.

    Reply
  25. KAYSWELL

    Hey very cool blog!! Man .. Excellent .. Amazing .. I will bookmark your website and take the feeds also厈I am happy to find numerous useful information here in the post, we need work out more techniques in this regard, thanks for sharing. . . . . .

    Reply
  26. Hairstyles

    Sweet blog! I found it while browsing on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks

    Reply
  27. Fashion Trends

    Just want to say your article is as astonishing. The clearness for your publish is just great and i could assume you’re an expert on this subject. Well together with your permission allow me to grab your feed to stay updated with impending post. Thanks a million and please continue the enjoyable work.

    Reply
  28. Dorathy Zorc

    Spot on with this write-up, I actually believe that this website needs far more attention. I’ll probably be back again to read more, thanks for the information!

    Reply
  29. Fashion Styles

    Youre so cool! I dont suppose Ive learn anything like this before. So good to search out somebody with some authentic ideas on this subject. realy thank you for beginning this up. this website is something that is wanted on the web, somebody with slightly originality. helpful job for bringing one thing new to the internet!

    Reply
  30. Shanna Poppert

    I seriously love your blog.. Excellent colors & theme. Did you make this website yourself? Please reply back as I’m wanting to create my very own blog and want to know where you got this from or exactly what the theme is called. Kudos!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *