Juha Saarinen: The SolarWinds hack continues to singe

While most people are happy to see the back of 2020, a truly horrible year, there are some that look forward to 2021 with apprehension: infosec staffers in organisations having to clear up the SolarWinds/SUNBURST/SoloriGate hack.

To recap, United States government departments, security vendors and big IT companies got an early, unwanted Christmas present a couple of weeks into December when news broke that they had Russians deep in their networks.

What’s more, the Russians (who deny they had anything to do with the hack) had been in the networks since at least March last year, and perhaps since October 2019, undetected.

Networks and computers get hacked into regularly, but this attack saw the likes of the US Treasury, Microsoft, security vendor FireEye and others being compromised indirectly, revealing some gaping security holes in interconnected systems that nobody seems to have thought of.

Microsoft, which has put in a huge amount of effort to improve security for its customers in particular over the last decade and a half, has had that work seriously dented.

On Boxing Day, news arrived that the hackers had compromised Microsoft resellers, in order to attack targets like security vendor Crowdstrike. Resellers often have privileged access to customer networks, for support, maintenance and licence compliance monitoring, which painted a bull’s eye on their backs.

Getting access to victim networks via third parties and managed service providers is not new, but clearly all the publicity around the CloudHopper attacks against enterprises in 2019 have not yet resulted in sufficient security changes to put an end to such sideways hacks.

That’s bad enough for Microsoft. In fairness, Microsoft has been quick to respond with transparency and information around the hacks. It can’t have been easy though for the company to disclose that the Russian hackers were in privileged enough positions in Microsoft’s systems to take a gander at the source code for applications.

The unauthorised peeping at the source code, which is what humans (and increasingly, automated systems) write before its compiled into code that machines can execute, isn’t that much of a worry.

Sure, we don’t know what the applications in question were, but Microsoft pointed out that its security posture assumes attackers already know the source code. Even without source code, it’s possible with expertise and patience to work your way backwards through machine readable application code, and figure out what most of it does.

Microsoft’s very good analysis of the Solorigate dynamic link library inserted into the SolarWinds update is a good example of that. Apart from a few randomly scrambled text strings in the binary that are yet to be cracked, the reverse engineering of it by Microsoft provides good insight into what the malware does and why it wasn’t detected for so long.

At a higher level, there are some truly remarkable, and alarming, details around the hacks.

First, even though just under 18,000 customers were hit by the Trojan Horse SolarWinds update, Crowdstrike co-founder Dmitry Alperovitch believes it was :a very carefully planned, stealthy and deliberate espionage operation against (likely) a few hundred high value targets. “

Alperovitch bases that on a “kill switch” found by security vendor FireEye in the malware that permanently disables it if certain test conditions are matched. Microsoft and other vendors used the kill switch to disable the Solorigate/SUNBURST malware late last year.

The sheer audacity of hacking thousands of systems in order to get access to just a few hundred shows how confident the threat actors were that their malware and actions would not be detected.

Second, the more details that are revealed about malware and the methodology of the hackers makes you wonder what they were after, apart from spying and mapping systems and network topologies.

If that’s all the hackers were prepared to burn or sacrifice a powerful attack like Solorigate, which will be detectable from now on, well… what else do they have in their toolkits?

Because they no doubt have alternatives in store already.

There will be more details on the hack coming up over the next few months, but enough has been released already that it adds serious weight to some security experts’ suggestion to “burn it all down and start from scratch”.

The experience with telcos’ worldwide interconnect systems points to that being unlikely to happen: in the name of network interoperability, older insecure telco systems can be used to access newer and very secure ones to geolocate subscribers worldwide. Spies can even lease access to the older network entry points.

In there lies probably some of the answer to the current security woes, namely stepping away from systems that are overly interconnected and insecurely networked to each other.

That by itself would lower their utility but at this rate of attacks, it’s the state-sponsored hackers who are getting the most value out of the current set up.

Source: Read Full Article