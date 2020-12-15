It has been reported that The Department of Homeland Security (DHS) was successfully breached as part of a major attack on U.S. federal agencies by suspected Russian hackers, Reuters said yesterday. Reuters cited “people familiar with the matter” in reporting that hackers believed to be working for the Russian government had successfully gained access to internal communications within DHS.
Joe Slowik
The SUNBURST campaign represents a uniquely distressing intrusion event with implications for multiple industries and network operators.
The SUNBURST campaign represents a uniquely distressing intrusion event with implications for multiple industries and network operators. The ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, mean victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder. While this is concerning and unfortunate for the present circumstances, future supply chain attacks—as this will not be the last such incident to impact network defenders and operators—can be met with and detected by aggressive NSM and communication visibility. So long as even the most complex backdoor or implant requires communication to or instructions from a controlling entity, defenders have opportunities to detect and disrupt operations. Through continuous monitoring of network traffic and an understanding of what hosts are communicating, defenders can leverage attacker weaknesses and dependencies to overcome these otherwise daunting challenges. Read Less
The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode.
While the news of the massive global Solar Winds breach is an all-too-painful reminder of the WannaCry attack in 2017 that crippled NHS and dozens of other UK healthcare organisations, today is not the time to panic. If 2020 has taught us anything, it is that the COVID-19 pandemic has improved the resiliency of security professionals and reinforced how determined defenders are to rid networks of cyber espionage adversaries. In fact, all UK companies should respond with a cold, logical, rational response. As far back as March, Russian hackers affiliated with the Cozy Bear group slipped malware into Solar Winds’ IT management platform and waited for months to detonate it. Thus far, we know that the Department of Homeland Security, U.S. Treasury, and U.S. Commerce Department were hacked. And so were many of the world’s Fortune 500 companies, including many UK companies. What’s next as the world’s largest forensics investigation continues and upwards of 20,000 companies have been breached? In general, now is not the time for security experts to panic. A practical and measured response is advised. If Solar Winds is being used in your organization, strengthen your security posture as follows: ● Isolate machines running SolarWinds until further information is available as the investigation unfolds ● Reimage impacted machines ● Reset credentials for accounts that have access to SolarWinds machines ● Upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible. Solar Winds has also provided further mitigation steps In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks. Ensure your company is always on the hunt for adversaries. The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode. Read Less
