The FireEye hack resulting in the theft of sophisticated red team tools was part of one of the most devastating cyberattacks in recent history. Today, with the news that Russian operatives also breached SolarWinds' Orion software, the attack has proven much worse than anyone thought.
FireEye's investigation surfaced a supply chain attack trojanizing legitimate SolarWinds Orion business software updates to distribute malware. This hacking campaign, which may date back to as early as fall 2019, affects vulnerable Orion versions 2019.4 HF 5 through 2020.2.1.
According to FireEye, a SolarWinds digitally-signed component of the Orion software framework contains a backdoor, dubbed SUNBURST, that communicates via HTTP to attacker-owned CC servers. This takeover of SolarWinds' Orion software, an IT performance monitoring platform that integrates into a businesses' full IT stack, is akin to handing over the keys to SolarWinds' customers' networks to attackers.
CISA has issued an emergency directive calling on all organizations to review their networks and disconnect from any SolarWinds systems. Still, real-time global visibility is the most effective weapon against this new breach.
How RiskIQ Can Help
FireEye and other security experts analyzing early information on the attack have said internet-scale data sets can detect if your organization is affected. RiskIQ’s global collection data platform contains the telemetry needed for finding the public-facing presence of SolarWinds Orion and analyzing the DNS and Certificates where attackers left fingerprints of their presence on your network.
1. Ongoing Threat Intelligence Coverage
RiskIQ published and will continue to update Internet-wide observations of the IOCs and other artifacts released publicly. Our threat intelligence and i3 Incident Investigation and Intelligence teams are working around the clock to assist customers and partners in incident response activities.
2. Detect SolarWinds Software and Orion versions
RiskIQ's Internet Intelligence Graph contains detection for the SolarWinds Orion application. RiskIQ can detect vulnerable Orion versions (2019.4 HF 5 through 2020.2.1) across organizations' internet attack surfaces, which will help identify if your organization is impacted.
Additionally, we have discovered that SolarWinds products use a specific web cookie and user analytics tracker, which you can use to hunt for additional instances in your environment or user base.
RiskIQ Digital Footprint customers can view SolarWinds systems potentially affected by this vulnerability within RiskIQ's Attack Intelligence Dashboard:
3. Query global SSL Cert database
According to FireEye's blog, attackers set the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim's environment. However, the attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data.
RiskIQ's mass scanning and network of virtual users creates a dynamic index of SSL certs in our Internet Intelligence graph, allowing organizations to understand if their internal infrastructure appears in these attacker-owned certs. RiskIQ's i3 team can assist organizations that require help parsing large scale internet datasets to search for these IOCs.
4. DNS Data
According to FireEye, querying internet-wide scan data sources for an organization's hostnames can uncover malicious IP addresses that may be masquerading as the organization. Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment.
RiskIQ observed DNS queries and responses during the time window of the attack cited by FireEye. RiskIQ's i3 response analysts are available to apply this information to your internal tools and build ongoing monitoring inside RiskIQ’s platform.
RiskIQ Delivers Global Real-time Attack Surface Intelligence
With the FireEye hack news last week, the security community examined the fallout of new advanced hacking tools entering the cyberthreat arena. The breach of SolarWinds comes with even more critical consequences and will be a primary focus of anyone with 'security' in their job title for the coming months.
SolarWinds' customer base is massive and widespread, including government agencies worldwide and many of the world's largest private organizations. This list includes 425 of the 500 largest publicly traded U.S. companies and all five U.S. military branches, the Pentagon, State Department, NASA, and National Security Agency.
Contact us today to find out how RiskIQ can help you manage your attack surface with this critical threat at large, and Join the RiskIQ Community for threat intelligence, indicators, and mitigation strategies across the global attack surface.