FireEye: SolarWinds Hack 'Genuinely Impacted' 50 VictimsSuspected Cyberespionage Prioritized Biggest Targets, Says FireEye CEO Kevin Mandia
Hackers who infiltrated government and business networks via a stealthy software update appear to have "genuinely impacted" about 50 organizations, says FireEye CEO Kevin Mandia.
See Also: The Power and Scale of XDR
Speaking of the supply chain attack that implanted a backdoor in the Orion network monitoring software built by Texas-based SolarWinds, and which was pushed to 18,000 of the firm's customers, Mandia noted that, while many have been referring to it as "potentially the biggest intrusion in our history," the focus of the apparent cyberespionage campaign was much more targeted.
"The reality is: The blast radius for this, I kind of explain it with a funnel. It's true that over 300,000 companies use SolarWinds, but you come down from that total number down to about 18,000 or so companies that actually had the backdoor or malicious code in a network," Mandia said in an interview with CBS news program "Face the Nation" on Sunday. "And then you come down to the next part. It's probably only about 50 organizations or companies, somewhere in that zone, that are genuinely impacted by the threat actor."
The attack campaign was first revealed on Dec. 13 by FireEye, which was one of its victims. It has labeled the backdoored software "Sunburst."
While the complete roster of victims remains unknown, other organizations that were running the backdoored software include several U.S. government agencies: the Commerce, Homeland Security, State, Treasury and Energy departments, as well as the National Institutes of Health. The extent of any intrusions remains unclear. On Monday, for example, Treasury Secretary Steven Mnuchin told CNBC that the hackers did breach unclassified Treasury systems but didn't appear to have accessed any classified systems.
Belkin, Cisco, Intel and Nvidia were also among the breached U.S. technology businesses.
Victims Include Microsoft and VMware
Microsoft on Thursday disclosed that it too was hacked, but says there are no signs that its software was either Trojanized or used to infect anyone else.
On Friday, Palo Alto, California-based VMware said it was also a victim of the supply chain attack. "While we have identified limited instances of the vulnerable SolarWinds Orion software in our own internal environment, our own internal investigation has not revealed any indication of exploitation,” VMware said in a statement.
FireEye's Mandia said in his Sunday interview that the SolarWinds Orion code was altered in October 2019, but that the backdoor wasn't added until March.
An unnamed source with knowledge of the investigation told Yahoo News that last October's effort appeared to be a "dry run," adding that the attackers' caution suggested that they were "a little bit more disciplined and deliberate" than the average attacker.
Investigators say the attack appears to have been launched by Russia as part of a cyberespionage operation, and potentially by Moscow's SVR foreign intelligence service.
U.S. Secretary of State Mike Pompeo on Friday said in a radio interview that "we can say pretty clearly that it was the Russians." On Saturday, President Donald Trump attempted to downplay Pompeo's remarks.
Other 'Initial Access Vectors' Possible
The full scale of the campaign, including all of the tactics, techniques and procedures - or TTPs - being used by attackers remains unknown; sizing up the impact is the focus of urgent investigations.
On Friday, Microsoft reported that the SolarWinds Orion software may have been backdoored by more than one organization.
On Saturday, the U.S. Cybersecurity and Infrastructure Security Agency warned that the same supply chain hackers appeared to also have been using "initial access vectors other than the SolarWinds Orion platform," including abusing security assertion markup language - aka SAML - tokens. CISA says its investigation is continuing.
The National Security Agency on Saturday warned that Russian hackers may have been bypassing authentication to abuse cloud-based resources, but it did not directly tie that to the SolarWinds attack (see: NSA Warns of Hacking Tactics That Target Cloud Resources).
Cybersecurity blogger Brian Krebs first reported that, as part of those efforts, attackers may have been exploiting a VMware flaw - CVE-2020-4006 - that the company patched on Dec. 3. The agency on Dec. 7 issued a security alert about the flaw, warning that “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”
VMware says it has not been informed by any U.S. government agencies that this did come to pass.
Sunburst Disruptions Continue
On Wednesday, FireEye, Microsoft and registrar GoDaddy said they successfully blocked attackers' access to at least some endpoints running Trojanized versions of Orion, by seizing the avsvmcloud[.]com domain, which attackers were using as a C2 address for communicating with systems running Sunburst.
"We identified a kill switch that would prevent Sunburst from continuing to operate," a FireEye spokesperson told Information Security Media Group. "This kill switch will affect new and previous Sunburst infections by disabling Sunburst deployments that are still beaconing to avsvmcloud[.]com."
Researchers at Chinese firm RedDrip Team have built a tool that has been able to decrypt some of the C2 information, which has revealed a partial list of organizations - stretching to more than 1,700 hostnames - that were running Sunburst. The organizations include Belkin, Cisco, Intel and NVidia, as well as a U.S. government organization and telecommunications company.
Once the backdoored Orion update was installed, the software waited for a random period of time - but typically about two weeks - before attempting to "phone home" to a hard-coded IP address to communicate with a C2 server, according to an analysis published on Dec. 13 by FireEye. It said the delay was designed to help evade malware analysts looking for suspicious behavior.
After the malware phoned home, attackers sometimes pushed a dropper, called Teardrop, to the endpoint. This malware can install and execute additional malware, to help attackers map the network, exfiltrate data and deploy additional tools to facilitate long-term remote access. Potentially, attackers could have used such intrusions as a beachhead for attacking an organization's business partners, too.
Security firms are now hunting for signs of systems that not only phoned home to the C2 server - as part of the first stage of attacks - but which were then the focus of second-stage attacks because they were of greater interest to attackers.
Microsoft Counts 40 Victims or More
Mandia's comments that approximately 50 organizations may have been thoroughly breached as part of the supply chain attack follow Microsoft President Brad Smith on Thursday saying the company had identified "more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures" (see: SolarWinds Hack: Lawmakers Demand Answers).
Smith said that about 80% of those Microsoft customers are U.S.-based, but that the company has so far "identified victims in seven additional countries" - "Canada and Mexico in North America; Belgium, Spain and the U.K. in Europe; and Israel and the UAE in the Middle East." And he cautions that the count of victims is sure to "keep growing."
Moscow-based security firm Kaspserky says it has found that about 100 of its customers downloaded the Trojanized Orion software update, which then phoned home to the C2 servers. But it says none appear to have been targets of the second-stage malware attack. Kaspersky says that, so far, it has also not been able to recover any copies of Teardrop, which FireEye says is memory-only malware that appears to have been designed to drop a copy of the Cobalt Strike Beacon penetration-testing software.
Biden to Look Beyond Sanctions
The discovery of the attacks comes in the weeks leading up to the inauguration of President-elect Joe Biden.
Speaking on Sunday to "Face the Nation," his incoming chief of staff, Ron Klain, said the incoming administration was weighing how to best respond.
"It's not just sanctions," Klain said. "It's also steps and things we could do to degrade the capacity of foreign actors to repeat this sort of attack."