SolarWinds software causes worldwide hack.

Is it finally high time to admit that we are living in a dog eat dog world where everyone is getting jammed together in an unwieldy social mass? So ruthless that nowadays countries are heedlessly willing to harm each other in order to climb towards success. And sometimes, it only takes a single bug for the adversary to win the battle.

Likewise, the case where US agencies got hacked including the US treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA) that were targeted in an internal email traffic monitoring attack. It’s feared that those uncovered hacks are only the tip of the iceberg.

Some anonymous sources stated that it was the work of APT29 also known as Cozy Bear, a Russian state-sponsored hacker group, that’s believed to have targeted a US-based cybersecurity firm FireEye a few days ago leading to the theft of its Red Team penetration testing tools as well as payloads that take advantage of critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019–11510), Microsoft Active Directory (CVE-2020–1472), Zoho ManageEngine Desktop Central (CVE-2020–10189), and Windows Remote Desktop Services (CVE-2019–0708).

In response to the allegations, the Russian embassy in the USA says in a Facebook post that: “We paid attention to another unfounded attempt of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies.” yet, despite Russia’s declaration the United States didn’t stop investigating and searching Russia’s way through their security system. And although it remains quite unclear, many signs show that adversaries tampered with Orion Business software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of its customers, including educational institutions and government agencies like NASA, National Security Agency (NSA), the US military, the Pentagon, the State and Justice departments as well as the Office of the President of the United States, as well as FireEye and mount a highly-sophisticated supply chain attack.

These new leads made the director of the US Cybersecurity and Infrastructure Security Agency (CISA) demand urgently to review networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.

After investigations, FireEye states that the attack takes advantage of a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST and that “This campaign may have begun as early as Spring 2020 and is currently ongoing”

In addition, it confirms that “Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly-skilled actor and the operation was conducted with significant operational security”.

Once delivered, the malicious version then communicates with remote servers via HTTP to retrieve and execute malicious commands, while masquerading the traffic as the Orion Improvement Program (OIP). In order to avoid detection, the IP addresses used for the attack are obfuscated using VPN servers located in the same country as the victim.

However, a software update has been released on December 15, which provides several extra security enhancements and repairs to the previous bug.

What’s worse is that the attacks kept propagating as FireEye detected the same activity across several other countries worldwide in North America, Europe, Asia, and the Middle East, which implies that this is a huge supply chain attack campaign on a global scale.

To conclude, the United States won’t be quiet for so long. Yet, it will recover from the damages and launch a payback attack as soon as possible in order to get its revenge.

By Ahmed Gritli & Wassila Chtioui

Additional resources:

Suspected Russian hackers spied on U.S. Treasury emails — sources | Reuters US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor (thehackernews.com)