author photo
By Bruce Sussman
Wed | Jan 13, 2021 | 7:33 AM PST

As organizations around the globe continue examining their networks for tactics, techniques, and procedures (TTPs) used in the SolarWinds cyberattack, something surprising is happening.

Some revealed the attack TTPs were being carried out within their network even though they had not applied any of the compromised SolarWinds updates or use the SolarWinds Orion product.

And other organizations reported finding the attack's TTPs had operated under their digital noses, yet they were not SolarWinds customers and did not have an instance of those products within the environment.

Now comes a disturbing update from CISA that reveals this: the threat actor behind the SolarWinds attack may have cast a wider cyber net around the world than previously believed, using multiple attack vectors to carry out the same type of attack—the type of attack that can be recognized by the TTPs.

Did the SolarWinds breach reveal attackers cyber reach?

Is it possible the discovery of the SolarWinds attack was a tipoff to that threat actor's methods, their TTPs? Is it the proverbial tip of the attack iceberg?

We're getting that feeling based on CISA's updated Alert (AA20-352A) about the attack. 

"One of the initial access vectors for this activity is a supply chain compromise of a Dynamic Link Library (DLL) in the following SolarWinds Orion products," reads the update. SolarWinds was just one of the initial attack vectors.

So that's the SolarWinds attack vector. What else is there? The threat actor is apparently taking advantage of weak or compromised passwords and identity and access management issues at some organizations:

"CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.

CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials  accessible via external remote access services." 

And there is more. CISA cites industry research that the threat actor may also be using a key to bypass multi-factor authentication (MFA) and gain network access:

"Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA). Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two."

And according to CISA, there may be additional attack vectors underway by the same threat actor.

"This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered.

Initial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as additional initial vectors are identified."

What are the indicators of compromise in SolarWinds attack?

What does this updated information mean for IT and security teams? It means you might want to examine your environment for the indicators of compromise listed in the Appendix B of this CISA document.

Even if you've never been a SolarWinds customer.

Also, keep an eye on this in-depth CISA Alert, which is being updated: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Comments