News about the SolarWinds hack keeps getting worse.
In a February 17, 2021, White House briefing, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, reported that nine federal agencies and about 100 private companies, many of which were technology companies that could provide a path to other data, were breached. Neuberger said that with so many tech companies compromised, additional victims of the attack may still be discovered.
On February 18, Microsoft announced the hackers had accessed or downloaded source code for subsets of Azure, Intune, and Exchange.
The attack that the perpetrators planned was clever. The attack itself was embedded into regular software updates so that companies attempting to keep their SolarWinds monitoring software updated were affected. About 18,000 SolarWinds Orion platform users fell victim in early 2020, and the attack brewed for months before discovery. The bad actors used multiple pieces of malware to carry out their plan. Raindrop malware enabled movement across networks and delivered payloads, including Sunburst, inserted via Sunspot. In some cases, the cybercriminals deployed Teardrop, meant to deploy a version of Cobalt Strike’s Beacon payload.
What’s Happening Upstream from Your Business?
The SolarWinds hack is a sobering reminder that cyberattack is a risk not only directly to your organization but indirectly through your vendor network. A look at SolarWinds’ customer list may even reveal businesses, enterprises and organizations you rely on as service providers or partners. The nature of the Orion platform, which is designed to make IT administration simple for on-premises IT/OT environments and cloud solutions from one dashboard, also makes it easy to understand why it was such an attractive target.
As shocking as this cyber attack’s scope and impact are, it’s important to maintain focus on what you can do to keep your business safe. For starters, investigate whether your business was affected. The Cybersecurity & Infrastructure Security Agency (CISA) issued Alert AA20-352A providing details on which versions of the platform were affected by the SolarWinds hack, technical details of the attack, and mitigations. The alert also provides links to Sparrow.ps1, which can help detect compromised accounts in Azure/M365, and guidance for using detection via impossible travel and impossible tokens.
Next, accelerate your schedule for risk assessments, this time performing one that takes your entire IT and OT environment into account. With the rapid tech adoption that took place in 2020 to accommodate remote work and socially distanced operations, you may have more risks to consider from new devices, sensors, and cloud systems.
Also, make sure you’re complying with industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Systems and Organization Controls (SOC) 2 Type 2, and Payment Card Industry (PCI) standards. It’s tempting to let compliance become a routine task, checking boxes whenever reports are due. However, the Solarwinds hack underscores the need for security technologies and processes to ensure compliance every day of the year.
Survive to Fight Another Day
Whether or not the SolarWinds hack impacted your business, it’s time to identify the assets and sensitive data you store and use, threats that can compromise them, and the measures you can put in place to protect them.
In a continually changing threat landscape, there are no guarantees. However, you can comply with industry security regulations, carefully monitor your IT environment and your partner ecosystem, and build a security strategy that keeps bad actors out – and, when they still get through, helps mitigate the data loss and damage they do.
Virtual Systems can help by providing compliant cloud solutions and guidance on making your business more secure. Contact us.