12/29/2020

SolarWinds: Your Attack Surface Just Got Bigger

F/22 Raptor

You can break down an organization's susceptibility to illegal compromise into attack surfaces. For instance if you wanted to attack this F/22 Raptor you could shoot projectiles or explosives at its wings, body, engines, etc. That is one attack surface of the plane; the external attack surface. There are others however. What if you could contaminate the pilot's food beforehand so he/she got sick and was unable to fly? How about compromising the integrity of someone on the maintenance crew to disable the aircraft? These are internal attack surfaces of the plane and just like the military, companies must protect them as well. Someone could even attempt to contaminate the manufacture of a spare part at a 3rd party facility in hopes of grounding the plane.

Most security audits or penetration tests concentrate on your organization's network external attack surface, your website, application servers, routers, VPN appliances, etc. However, your organization's network also has an internal attack surface and that is behind the firewall, behind the DMZ, to the local network your employees use everyday to get things done and it is just as important as the external network. It is where your trade secrets are, your billing, your customer records, and financial records all sit.

If your external network is bulletproof though, you might think, then the internal network security isn't that important. But I think you're wrong on that because your threats are not just external, they can be internal as well. You can have security guards who are highly trained so outside people can't get in, your employees can be vetted and beyond reproach (sometimes they get angry), your anti-phishing training is 100% (it isn't) and still your internal network is vulnerable because it's no longer just your organization you have to be aware of. Perceptions changed in the most catastrophic way December 2020.

SolarWinds

Early December 2020, FireEye, a major computer security firm announced they had been hacked and proprietary tools stolen. This might seem like a "cobbler's kids have no shoes"* scenario, but it may turn out that the hackers were only caught because FireEye's security was tighter than most. The hack didn't originate with FireEye, it was in a product of an upstream provider, SolarWinds. SolarWinds provided the network management software FireEye (and about 30,000 other companies and government agencies) use and that software had been altered to contain a backdoor**. Microsoft, also affected, believes up to 18,000 installs of the SolarWinds Orion product may be infected.

This happened because SolarWinds itself was hacked and the attackers gained access to the software build process. They changed the SolarWinds software to include the backdoor and then they waited. They waited for customers, probably in an automated software update process like we all use, to update to the latest version. The backdoor was minimal and flew under the radar of anti-virus software. The attackers literally had months to exploit these backdoors before they got a little too aggressive and FireEye's internal security caught them.

This "Supply Chain Attack" is one that is hard to plan for and detect. You have to trust someone and well known and regarded software suppliers would certainly be on that list. Even the software that comes certified, scanned, and cryptographically signed from the vendor may be compromised. Just as this supply chain attack was announced it was discovered that a hacker had implanted malware in the Vietnam government's digital signature toolkit.

Assumed Compromise Test

An "assumed compromise test" like the one performed by Alertra specifically targets the internal network and asks the question, "If the bad guys get in, what can they do?" We probe the network looking for weak spots that can be exploited to gain further access. Can we gain elevated access even up to Domain Admin? Can we pivot from an administrative network to your secure research and development network? Are your databases protected or can we gain access and to what data?

We'll send you a "dropbox" which is essentially a proxy for a hacker who finds herself newly on your network. The dropbox is a computer that you plugin to your network that only our certified pentesters have access too. We will work closely with you to define the parameters of the test and establish clear channels of communication so that you are always in touch with us while the test is ongoing. At the end of the testing period we will delete any data stored on the dropbox and you send it back to us. The product of this will be a report that describes your network as an attacker would see it. We will walk you through the report via conference call or video meeting. Unlike a real attacker, we'll also let you know steps you can take to mitigate any problems we find. Of course any information we find or discuss will be covered by a Non-Disclosure Agreement and held in the strictest confidence.

Conclusion

You'll find a lot of companies willing to test your external attack surfaces: your website, app servers, VPN appliances, etc (we'd happily do that too). But that is only a portion of your organization's exposure. Your internal network is attackable. Threat actors can breach your physical security by any of several means. A "customer" may slip a USB "rubber ducky" (a thumb drive designed to give outside agents access to the computer) into a vulnerable computer. Or a vendor can be compromised and open you up to being compromised as well.

Learn more about our internal or "assumed compromise" test today. Our certified pentesters will analyze your network to provide detailed analysis and reporting you can use to further secure your network. Your attack surface, it just got a lot bigger.

Author

Kirby Angell is the CTO of Alertra, Inc. and a certified pentester. In addition he has written several articles on Python programming for magazines back when that was a thing. He contributed a chapter to the 1st edition of "The Quick Python Book" published by Manning. He was one of the first 10 Microsoft Certified Solution Developers. Ah the 90s...he probably still has a "Members Only" jacket. He is certified to teach firearms classes in Oklahoma and holds a black belt in mixed martial arts.

References

https://en.wikipedia.org/wiki/SolarWinds

https://www.solarwinds.com/securityadvisory

https://arstechnica.com/information-technology/2020/12/18000-organizatio...

https://thehackernews.com/2020/12/software-supply-chain-attack-hits.html

https://thehackernews.com/2020/12/new-evidence-suggests-solarwinds.html

https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html

https://en.wikipedia.org/wiki/FireEye

* A cobbler makes shoes. Shoes he makes for customers make him money, but shoes he makes for family do not. Therefore the cobbler's children may not get the best shoes...or any.

** A backdoor allows an attacker access to a computer that bypasses any access controls placed by the owner.