01-23-2021 , 07:46 AM
Quote:Cybersecurity experts are calling the attack on the SolarWinds Orion network management platform one of the most serious hacks on U.S. government networks and many large company data infrastructures. The attack, revealed in December 2020, had network professionals scrambling to mitigate the effects of the pervasive breach.
The supply chain attack has affected several federal government agencies, including the departments of commerce, energy and homeland security. News of the hack forced major public companies, including Cisco Systems and Microsoft, to ratchet up their network analysis activities to identify and mitigate the anomaly before it could disrupt operations.
Soon after the hack was revealed, SolarWinds announced updates to its Orion platform, which was hacked by malware called Supernova. According to SolarWinds' investigation, the malware could be deployed by exploiting a vulnerability in the Orion platform. Approximately 18,000 customers were affected by the breach. In response to the SolarWinds hack, these firms need to deploy the Orion updates and carefully examine all aspects of their networks to identify where the malware might have launched.
Supernova malware explained
According to a SolarWinds security advisory, "SUPERNOVA is not malicious code. ... It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."
The vendor noted that the malware has two components. "The first was a malicious, unsigned webshell .dll 'app_web_logoimagehandler.ashx.b6031896.dll' specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code."
Investigators researching the malware attack identified a backdoor called Sunburst, which enabled hackers to receive reports on infected computers. The hackers then used this data to target systems they identified for further exploitation.
Investigators found the backdoor code was similar to another widely used hacking tool called Kazuar. They surmised Kazuar was used in many previous attacks on public and private organizations and may have been a trigger to launch the previously dormant malware residing in target systems.
Lessons learned and next steps
The Orion platform is popular and used worldwide -- and was clearly a target for highly experienced hackers. Among the lessons learned from the SolarWinds hack is that security software is not completely perfect and should be considered a potential cyber attack entry point.
Continue reading HERE