SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
Peter Jones, The Cyber Badger, explains about the SolarWinds attack:
In December 2019, FireEye, a cyber security company, said they were breached. With 18,000 companies affected, FireEye did the industry a favor by detecting and notifying about the breach. It was FireEye’s “good security” that highlighted SolarWind’s “bad security”. It came out that an employee received a notification to ‘reset password’ on their MFA (multi-factor authentication) account. The employee noticed that this was strange as they did not request this, so they notified someone in FireEye of the event.
There were 2 things at play:
- Update Service – this was used as an entrance for attackers to create a bad server to pull down a compromised DLL file
- SolarWinds Servers
The hackers stayed dormant for 2 weeks to avoid raising alarms. By staying dormant, they started learning and constantly evolving and changing dependent on its environment, as well as learning what admins to use on the right systems.
When the traffic was examined, it showed genuine improvement program traffic – within this the attacker has the ability to:
- Transfer files
- Execute files
- Profile the system
- Reboot machine
- Disable system services
Once it had got to a certain level of privilege, it changed certificated to one that looked like SolarWinds signed certificate. This was the hackers “backdoor”, their ability for continuous compromising of the network.
Why was it sophisticated?
- It was persistent in the system
- It fingerprints the local anti-virus solutions
- Identify sinkholes, sandboxes and honeypots
- Checks for connectivity and what is normal on the network