It took stealing the crown jewels of one of the leading cyber security companies – the offensive hacking tools of FireEye – for anyone to detect what’s shaping up to be a truly watershed cyberattack.
The SolarWinds Sunburst Attack Is Noteworthy For At Least Three Reasons:
- The prominence of its known victims: security companies, federal agencies, etc.
- The state-of-the-art techniques and skills that allowed the attackers – most likely belonging to a Russian state-sponsored group – to breach SolarWinds’ Orion build process, insert an undetected malicious component into Orion’s updates and subsequently use the malware – now deployed on customers’ Orion servers – to patiently, stealthily, over many months, discover their victims, increase their foothold within their networks, and exfiltrate their data.
- It is the largest Supply Chain attack published so far. That is, the attackers sought and found a major technology supplier and by breaching it, they got access deep into the networks of most of its customers.
Cyberpion’s View Of The SolarWinds Supply Chain
IT organizations can and must have visibility into their exposure to any its vendors. That is, customers should have systems in place that are able to inventory, at any given time, what solutions, products and technologies are deployed where. These inventories will be critical in following federal guidelines and shutting down compromised, or potentially compromised, instances.
Based on our experience and analysis many organizations do not have this inventory available. Organizations are struggling to keep tabs on their inventory and lack visibility into their ecosystem. This situation applies in the case of deployments of SolarWinds Orion (and other SolarWinds products and services).
Through our ecosystem discovery solution, we’re seeing hundreds of SolarWinds Orion instances, some deeply misconfigured, with strong indicators (independently verified by the customers we contacted) of being unmanaged and deployed as shadow IT.
Organizations Are Unware Of Every SolarWinds Orion Instance Installed In Their Infrastructure
It could be a recent acquisition of a company that used the system or an instance that was created as part of POC (in some of them, the default credentials were used). Furthermore, some of the companies in whose networks we detected these exposed SolarWinds Orion instances are themselves supply-chain vendors with thousands of customers. This means that the exposure to the risks of this attack lie further beyond SolarWinds and its customers and extends to customers of customers, and beyond.