Solarwinds, FireEye, and Breaches.

by | Dec 14, 2020 | Uncategorized | 0 comments

Print PDF

Submit your email address to access the PDF of this post.
  • This field is for validation purposes and should be left unchanged.

ImageOver the past few days there have been multiple high-level breaches to platforms like Microsoft Teams, Solarwinds Orion, and companies like FireEye and some government agencies. Going into the holidays, this may be a cause for anxiety for those of you who are charged with defending your company’s networks. While a healthy level of anxiety may be needed to defend properly, I do not want you to lay awake at night or get to the point of feeling hopeless. I scrolled through my Twitter and wanted to consolidate several of the resources I found concerning these breaches and flaws.

Solarwinds Orion 

Let’s start with Solarwinds since so many people use this network management software (NMS) platform. 

What can you do to protect yourself? The Solarwinds advisory is excellent and well written, you can find it here:

https://www.solarwinds.com/securityadvisory

If you prefer the Government’s opinion/analysis you can find that here: (read the Required Actions section carefully)

https://cyber.dhs.gov/ed/21-01/

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

ImageIf you want to know what happened and who has been affected, there is some speculation that this was the source of compromise for some of the breaches in the government and at FireEye. It appears that an attacker was able to leverage the update mechanism within Solarwinds to deliver trojanized updates. Inserting trojan software via updates is considered a supply chain attack and could affect all users of the software.

Jake Williams will be giving a more in-depth webinar via SANS later today which you can register for here:

https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015

Microsoft Teams 

Next let’s delve into MS-Teams which is also a popular platform. 

Here’s a write up on Github, by the researcher who discovered it, that contains both an easy-to-read summation and in-depth technical details with a screencast video demonstrating the issue:

https://github.com/oskarsve/ms-teams-rce

Here is another writeup for people who want a shorter summation:

https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html

In every write-up of this Teams issue, the following response from Microsoft has been quoted:

“We mitigated the issue with an update in October, which has automatically deployed and protected customers,”

Corporate and governmental breaches are also making for splashy/scary headlines and may be tempting you to be overly scared that you are next or possibly overly comforted that you won’t be breached because your organization is too small or does not have data a hacker might want. I would urge you to take a balanced approach and diligently search for the indicators of compromise (IoCs) that have been published. Additionally, following the guidance on how to mitigate further spread is always a best practice.

Here is a write-up from FireEye on the IoCs:

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

FireEye developed some Yara rules to detect some of the malware here:

https://github.com/fireeye/sunburst_countermeasures

If you’re unfamiliar with Yara, it’s a malware detection tool you can get here:

https://github.com/VirusTotal/yara

I always get asked “Who do you think did this?” Attribution gets too much focus as far as I am concerned, and best practices/technical fixes don’t get enough attention.