Feds: SolarWinds Attack ‘Poses a Grave Risk’ To Government, Business

The U.S. government says it has evidence of additional initial access vectors beyond the SolarWinds Orion supply chain compromise, but noted that those other attack methods are still being investigated.

The U.S. government warned Thursday that removing the SolarWinds hackers from compromised environments will be a highly complex and challenging endeavor for organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) said that the group behind the SolarWinds breach has demonstrated patience, operational security and complex tradecraft in its attacks. CISA added it has evidence of additional initial access vectors beyond the SolarWinds Orion supply chain compromise, but noted that those other intrusion methods are still being investigated.

“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the agency wrote in a 17-page cyber activity alert. “This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.”

[Related: SolarWinds Hack ‘One Of The Worst In The Last Decade’: Analyst]

Organizations with suspected compromises need to keep operational security front and center, CISA cautioned, including when conducting incident response activities and designing and implementing remediation plans. CISA ordered all federal civilian agencies Sunday night to immediately power down SolarWinds Orion products since they were being used by hackers believed to be affiliated with Russia.

Not all organizations that have a backdoor delivered through SolarWinds Orion have been targeted by the hackers with follow-on actions, according to CISA. That’s consistent with what others have said, including FireEye’s Charles Carmakal, who told The New York Times Monday that only dozens of organizations were actually compromised even though 18,000 were vulnerable to being attacked.

The hackers - which the Washington Post reported are with the Russian intelligence service, or APT29 - have demonstrated the ability to exploit software supply chains and have shown significant knowledge of Windows networks, CISA said. It is likely that the hackers have additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered, according to CISA.

CISA said it’s investigating incidents where the adversaries exhibit behavior consistent with the SolarWinds hackers but the victims either don’t use SolarWinds Orion or no SolarWinds exploitation activity was observed.

Specifically, CISA cited the Volexity report of an intrusion into a think tank where a Duo multi-factor authentication bypass in Outlook Web App (OWA) was used as the initial attack vector to steal the secret key. Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and CISA said the tactics, techniques and procedures are consistent between the two.

Duo said the attack described in Volexity‘s blog wasn’t due to a vulnerability in the company’s own products.

“The post details an attacker that achieved privileged access to integration credentials that are integral for the management of the Duo service from within an existing compromised customer environment, such as an email server,” Duo said in a statement. ”Compromise of a service that is integrated with an MFA provider can result in disclosure of integration secrets along with potential access to a system and data that MFA protects.”

To provide SolarWinds Orion with the necessary visibility into on-premise and hosted infrastructure, CISA said it is common for network administrators to configure the platform with pervasive privileges, making it a valuable target for hackers. CISA said the hackers added malicious code into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate.

SolarWinds Orion typically uses a significant number of highly privileged accounts and access to perform normal business functions, CISA cautioned. As a result, CISA said successful compromise of one of these systems can enable further action and privileges in any environment where these accounts are trusted.

The adversary is using virtual private servers - often with IP addresses in the home country of the victim - for most communications to hide their activity among legitimate user traffic, CISA warned. The hackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection, according to CISA.

The attacker is heavily leveraging compromised or spoofed tokens for accounts for lateral movement, CISA said. This will trick commonly used detection techniques in many environments and force firms to identify actions that are outside of a user’s normal duties. For example, CISA said it is unlikely that an account associated with the HR department would need to see the cyber threat intelligence database.

“These observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” CISA wrote.

CISA said its observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

The hackers seem to be focused on collecting information from victim environments, according to CISA. CISA said it’s observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.

One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

The hackers are using a complex network of IP addresses to obscure their activity, which CISA can result in a detection opportunity called “impossible travel.” That is when a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins. CISA cautioned this can result in false positive if legitimate users rely on a VPN for their connection.

Organizational communication about their findings from and mitigations for the hack should be considered very sensitive due to the targeting of key personnel, incident response staff and IT email accounts, according to CISA. An operational security plan must be developed and distributed through a secondary communication method to ensure all staff are aware of what precautions they should take.

The plan should include guidance for staff and leadership around non-primary methods of communication and an outline of what ‘normal business’ is acceptable to conduct on a suspect network, CISA said. In addition, CISA said organizations should put together a call tree for critical contacts and decision making, and consider how they’ll communicate externally with stakeholders and media.