Is there a trojan on your network?

New Zealand Security Magazine - February-March 2021

Solarwinds: engineered to avoid detection.

The Solarwinds attack has wreaked havoc across thousands of organisations, writes Planit Software Testing’s David Withers APP, and electronic physical security systems are particularly vulnerable to it. 

US Government departments are among the 18,000 enterprise customers affected by a serious supply chain attack using the SolarWinds Orion Product. Does anyone you connect your systems to use it?

“An Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” read a 05 January joint statement from the FBI, ODI, NSA, and CISA. “At this time, we believe this was, and continues to be, an intelligence gathering effort.”

“CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations,” The US Cybersecurity and Infrastructure Security Agency (CISA) recently reported. 

“An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked.”

The SolarWinds Orion Product is an infrastructure monitoring and management platform designed to simplify IT administration, giving users a single view of the IT Stack. It manages security and is linked to all core IT infrastructure in the organisations that run it. Governments and large enterprises are among its users.  

Given its deep integration to such organisations, it was the perfect trojan to spread tools for gaining access to systems, including cloud servers, at a wide array of organisations.

How did it happen?

The initial access to Solarwinds used external remote access services, employing password guessing, password spraying, and the use of insecure administrator credentials.

Once the actor had gained access to internal networks or cloud services, it gained administrator rights that allowed it access to all resources (local or cloud). With this access it injected its code into the build systems, leaving the source code untouched.  

It is known that all patches between March 2019 and December 2020 had the actor’s code attached. Any of the 18,000 customers who applied these patches was then infected with the Sunspot malware, which inserts a Sunburst backdoor code into affected systems. 

Its sophisticated design makes it very hard to detect. It is engineered to avoid detection. Also, being a security product, it was excluded from checking by some customers’ malware checkers due to false positives.  

How does this affect me?

Electronic physical security systems are particularly vulnerable to this type of attack. These systems typically need to use facilities’ IT infrastructure to link monitoring and management tools to CCTV and access control infrastructure. Given the nature of the infrastructure used, it is common that:

  • Systems that are installed stay in place for decades
  • The systems allow access to organisation’s business networks
  • Security on physical security devices is typically weak (i.e. default or shared passwords between devices; no 2FA)
  • Once installed, these devices are infrequently patched, if ever.

Given all these weaknesses, any part of your physical security network could be infected with a trojan or malware and you may not know about it. Ironically, they are typically monitored by tools like Solarwinds. 

The Solarwinds attack relies on not being detected to gain best value by spreading wider, constantly hunting for new hosts, burrowing deeper and deeper into your network. Given the weak security and of many physical security systems and the access they provide to business networks, it is a perfect vector for such an attack. 

What IT security practices should I follow? 

Ferdinand Hagethorn, Director Security Services at Planit Testing, recommends you follow the zero trust practices, including:

  1. Security is everybody’s responsibility, including the business’
  2. Position security as a business enabler – show you do security well
  3. Security is part of the design and implementation
  4. Leave that ‘build now, secure later’ attitude at the door
  5. Secure your tech, people, and processes
  6. Apply the least privilege principle – not everybody needs admin/root, and neither does everybody have a ‘need to know’
  7. Secure all your environments, including your test environment – Yes, I’m looking at you, company that is holding a copy of production data there, because “it’s easy, so why not?”
  8. Keep track of current threats
  9. Keep track of current vulnerabilities – in your code, third party libraries, and infrastructure components
  10. Budget for security efforts, including tech, training, support.
  11. Be proactive! Be prepared to find a vulnerability and breach – it’s not if, it’s when; and respond fast

IT security has to be part of the design and not an afterthought. It also needs everyone considering it when they operate the business day-to-day. Constant vigilance and a strong security culture is required to keep your business safe. 

So do you have a trojan in your network? The time to act is now. If you need help, engage an IT security consultant to assist you to protect your business from cyberattack.