The recent cyberattack against various US federal government agencies and leading security companies like FireEye maybe just the tip of the iceberg.
On December 13th security researchers at FireEye uncovered a global intrusion campaign that has compromised public and private sector organizations at an unprecedented scale. The attacks, believed to have begun in Spring 2020, were carried out via trojanized updates to SolarWind's Orion IT monitoring platform, a widely deployed network management application. Given the popularity of this product and length of time the backdoor had gone undetected, the security community is still working to assess the true scope of the attack. "What is known to be compromised so far, is probably just the tip of the iceberg", claimed Richard Staynings, Chief Security Strategist for Cylera and renowned healthcare security evangelist.
The attackers gained access to SolarWind's update server, possibly due to an accidental leak of the server's credentials on Github, and uploaded multiple trojanized updates between March and May of this year. The updates, which the attackers managed to digitally sign so that they appear authentic and untampered, included a malicious component named SolarWinds.Orion.Core.BusinessLayer.dll, now referred to by security researchers as the SUNBURST backdoor. The backdoor begins by laying dormant for up to two weeks, distancing its subsequent activity from the date of the update's installation. It then begins to communicate with external command and control (C2) servers that can instruct the backdoor to perform reconnaissance and provide attackers with access to the network.
The highly sophisticated attacks which are thought to have successfully infiltrated the U.S. State, Treasury, Homeland Security, and Commerce departments, as well as other government agencies and commercial enterprises are thought to be the work of a group known as APT29, a Russian hacker collective also known as Cozy Bear, believed to be affiliated to the country’s foreign intelligence service, the SVR.
According to multiple U.S. news sources, APT29 has been implicated in numerous cyber attacks against the United States and other countries over the period of many years. This includes the 2016 hack of the US Democratic Party in the run up to the presidential election and many other cyber attacks against state and commercial entities. Although not mentioned by name, FireEye CEO Kevin Mandia, in a recent interview stated that “We are witnessing an attack by a nation with top-tier offensive capabilities.” It seems likely therefore that a sophisticated attack of this nature was executed at the very least by a well funded nation state actor.
So how can I detect if my hospital network has been compromised by this attack?
Cylera's threat detection systems have the ability to detect the presence of this malware using distinct characteristics of its behavior and control infrastructure. This includes detecting communication with IP addresses and queries for domain names that are associated with the malware's C2 servers, signs of the malware's communication protocol, and suspicious DNS queries that match the DGA (domain name generation algorithm) scheme used by the malware, among others. Activity and toolsets that have been used by the attackers during later stages of their kill chain, such as the Cobalt Strike framework used as they move laterally through the victim’s network, are similarly detected.
In addition to traditional IoC-based detection mechanisms, Cylera's threat detection systems assess the network activity of SolarWinds products for signs of anomalous activity, such as DNS queries or HTTP communication that is uncharacteristic of the product. As attackers can - and frequently do - update their malware or move their control infrastructure to evade network defenses that are looking for the IPs, domains, and communication patterns of the malware's previous version, behavioral analysis is a necessity for continued detection of, and protection from, attacks by the ever-tenacious and increasingly-prolific APT groups that plague today's security landscape.
Organizations that use SolarWinds products, regardless of the security products they have in place, should immediately follow the instructions outlined in CISA's Emergency Directive 21-01. This includes powering down all SolarWinds Orion products of version 2019.4 through 2020.2.1 and analyzing network traffic, as well as alerts from network security products, for any activity involving known indicators of compromise. For organizations that do not have network monitoring products that will perform this analysis automatically, public IoCs have been provided by FireEye and include the following domains and IPs:
Note: despite the malware's usage of the domain panhardware[.]com there has been no published evidence of abuse of PAN products or hardware in the attacks.
While this campaign has undoubtedly cemented a spot on the list of the most notable cyber-attacks, it is not the first attack to exploit a supply chain to expand reach and will certainly not be the last. Supply chain attacks are particularly potent in healthcare, as the number of applications, remote services, and networked products required to power the modern healthcare environment continues to grow rapidly. Simply understanding the attack surface has become increasingly difficult, as it is not only comprised by typical software vendors and remote service providers, but by thousands of network-connected medical and IoT devices that call home to their vendors for updates or remote servicing.
The possibility of attackers using medical devices to traverse the supply chain and compromise healthcare networks in a way analogous to SolarWinds attack is not just hypothetical, but very much a reality. Malware named Kwampirs, first publicly exposed in 2018 by Symantec, has targeted organizations via supply chain attacks since 2015 while maintaining a worrying focus on healthcare. Cylera researchers have discovered Kwampirs infections not only at healthcare organizations in the US, but at medical imaging software vendors, printer manufacturers, and one of the primary manufacturers of medical imaging equipment, whose remote support VPN connections, used for equipment like CT machines, provided the malware with a means of spreading from vendor to hospital.
These campaigns show us that attackers are learning to break into networks through avenues many organizations barely know exist and hiding in places most would not think to look. While organizations must take immediate action to ensure they are not affected by the SolarWinds attack, this action is only one step towards ensuring the continued security of their networks and continuity of their operations. While it may be some time before we see another campaign of this scale, it will not be long until we see yet another campaign use these tactics. "Organizations must build defenses to protect from novel threats that may not yet be known to the security community, and must work to increase their awareness of the endpoints and behaviors present on their networks so they can ensure their security programs consider the entirety of their attack surface" claimed Paul Bakoyiannis, CTO and co-founder of Cylera.
"The organizations so far that have reported to be impacted by this supply chain attack are just the tip of the iceberg", claimed Staynings. Over the next few days and weeks we are going hear about a lot more. "Anyone running the affected software would be well advised to follow the advice of CISA and others, isolate and forensically investigate systems running this software then undertake a full regression test of all applications and data to ensure that other malware has not made its way to systems. Any attack of this nature and sophistication will likely have established multiple levels of persistence" claimed Staynings. "It may be months before we get to fully put this behind us" he added.