Happy Monday, and welcome back to Mondays with Miranda! I’m sure we’ve all heard about the recent SolarWinds hack by now, but if you haven’t, stay tuned.
What do we know so far? The breach began back in March 2020, when an email system used by the Treasury Department and other federal agencies was compromised. The hackers were able to enter the system by injecting malicious code into a SolarWinds product update. About 18,000 SolarWinds customers installed the corrupted update onto their systems. SolarWinds’ Security Advisory lists 18 known products that have been affected by the attack: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1 including, but not limited to, Application Centric Monitor (ACM), Server Configuration Monitor (SCM) and Network Performance Monitor (NPM). The attack is still under investigation by the Cyber Unified Coordination Group (FBI, CISA, NSA, and ODNI).
Where did SolarWinds go wrong? From what we have learned, a combination of privilege access policy failures, poor password protection, and FTP credentials stored on a public GitHub repo, all contributed to the ultimate compromise of the SolarWinds code, but it doesn’t end there. Once the hackers gained access to the end user’s network they employed traditional hacking techniques to compromise the company’s identity provider ie: Azure AD or Active directory. “Investigations into this hack found specific evidence where they got in and created new accounts with elevated privileges to access data.”Once they gave themselves privileged access, it was game over.
While ultimately the breach began with SolarWinds, it was perpetuated, in many cases by a lack of fundamental security measures, training, and tools that could be used to mitigate such an attack from spiraling out of control. It seems as if there were not multiple layers of security implemented on the systems in order to identify, prevent, or mitigate security incidents. These include preventive controls, predictive controls, and detective controls. A hardened, multilayer approach is always better than a single solution for security protection.
What does NeQter Labs do differently? NeQter Labs is monitoring the SolarWinds breach carefully to determine how we can be more resilient. We have had many customers inquire as to whether or not we or our customers were affected by the SolarWinds Hack and the answer is no. NeQter Labs does not utilize SolarWinds internally nor do we use it in our code. While the NeQter Labs appliance does share similar functionality with the SolarWinds platform, our approach is quite different. The NeQter Labs’ appliance is a passive tool and does not sit in-line with our customers’ networks. Our tool is simply for monitoring purposes, and we do not require privileged access to Active Directory on any of our customers’ networks. NeQter Labs is a security-oriented company and puts our customers’ security first. We will continue to monitor the situation and we are continuing to update and implement new security features into our product. Check back soon for updates!
That’s all for today! Thank you for tuning in to this week’s segment of “Mondays With Miranda!” Keep up to date with current news by following NeQter Labs on Twitter, Facebook, and LinkedIn. We love comments and questions, so drop me an email [email protected].