The FireEye SolarWinds Attack – What You Need to Know
On the 8th December, FireEye, a large player in the cybersecurity world, disclosed that they were hit by a nation state-sponsored attack that they later found was the result of a backdoor in the SolarWinds Orion management and monitoring platform.
We all too often hear during disclosures of the attack being sophisticated, but in a rare occurrence this was indeed both a highly sophisticated and evasive attack. Combined this resulted in a complex supply chain attack, that compromised the supplier in order to target its high profile victims.
It was confirmed that the hacker group managed to steal the red team tools of FireEye’s professional security team, consisting of simple scripts used for automating reconnaissance to entire frameworks that are similar to technologies such as CobaltStrike and Metasploit. It was however confirmed by FireEye that the stolen tools did not contain any zero-day exploits.
Since FireEye’s announcement, there has been a lot of investigation & updates from cyber experts; mitigation techniques and threat advisories are now being released. The advisories from SolarWinds confirmed that the exploits only affect the Orion platform; we strongly advise any SolarWinds customers to review and update their platforms as soon as possible.
We are not going to try and cover the details of this attack here, but instead want to bring together a timeline of posts related to the disclosures, security advisories and recommendations from the multiple experts directly and indirectly associated with investigating the attack.
FireEye Red Team Tools Stolen by State Sponsored Hacker Group | 8th December
Unauthorized Access of FireEye Red Team Tools | FireEye Inc
SolarWinds Security Advisory | Released 13th December | Updated as of 17th December
Security Advisory | SolarWinds
Hacker Group Leverages SolarWinds Backdoor | 13th December
Important steps for customers to protect themselves from recent nation-state cyberattacks | 13th December
Important steps from the Microsoft Blog | Microsoft
Customer Guidance on Recent Nation-State Cyber Attacks | 13th December
Detailed Guidance and recommendations | Microsoft Security Response Center
SolarWinds Orion Mitigation | 13th December
Emergency Directive 21-01 | cyber.dhs.gov
SolarWinds Supply Chain Attack Threat Advisory | 14th December
Kill Switch Forces Backdoor Termination | 16th December
FireEye, Microsoft create kill switch for SolarWinds backdoor | Bleeping Computer
Details on Advanced Persistent Threat Compromise | 17th December
What you will see throughout the FireEye posts in particular is a great and commendable approach to the disclosure of the attack. FireEye have been clear, open, concise and actively trying to help the public defend against the threats that may result from the theft of their offensive tools.
With the potential for approx. 18,000 impacted customers, and numerous organisations already confirming they are also victims, this story may run for some time, so we will aim to keep this posted updated where possible.
To close, Microsoft’s President posted an interesting article giving his account of what has been a challenging year for us all when it comes to cyber security threats.
Updates [21st Jan 2021]:
SuperNova Webshell Adds a Second Vector to the SolarWinds Attack | 17th December
SUPERNOVA: A Novel .NET Webshell | Palo Alto Networks
Protecting Microsoft 365 from On-premises Attacks | 18th December
Understanding the threat to prevent on-premise to cloud attacks | Microsoft AAD Identity Blog
SolarWinds Compromise May Have Begun 5 Months Earlier | 18th December
Identity Compromise & Incident Response | 21st December
Advice for incident responders on recovery from systemic identity compromises | Microsoft DART
SAML Identity Anomalies and IOCs | 21st December
Microsoft Solorigate Resource Centre | 21st December
Summary, background, and guidance resource centre | MSRC
Joint Statement by the FBI, CISA, ODNI and NSA – Attribution | 5th January
FireEye Releases Tool for Auditing Networks for Techniques Used by SolarWinds Hackers
FireEye have released a report with detailed techniques used by the SolarWinds hackers | ZDNet.com