The recent breach of the SolarWinds Orion platform, in which a sophisticated team of hackers – perhaps affiliated with a nation-state – was able to insert malware into software updates that went out to thousands of companies, illustrates just how cyber-insecure we really are. That such an important tool, relied upon by hundreds of thousands of organizations for updates, network monitoring and other services could be so badly breached (the breach, according to experts, has been going on for months) has sent a chill up corporate America’s spine.
But the story here is different – what should really scare us is the lack of basic security that characterizes the vast majority of IT systems, whether in small organizations, multinational corporations or the government. As sophisticated as the attack was, the real damage came after the breach – through the malware the attackers were able to deliver to Orion clients.
The malware dispatched by hackers has been around for years, as have systems to detect and eliminate it. That the malware was able to plant itself in the systems of so many Orion clients shows that many of them were not properly defended against even these basic attacks – using anti-malware systems and defensive techniques that should have been set up long ago, such as shoring up connections, ensuring that authentication is secure, eliminating unused user accounts, etc. That companies, many years on in the cyberwars, are still not doing these basic things, is what is truly frightening. The breach may have been advanced, but protecting systems from the delivered malware is relatively simple – and cheap. Organizations that do take these steps are far less likely to suffer damage from hackers – no matter how sophisticated the attack.
The entity behind the SolarWinds breach was able to use the company’s update tool to send out malware to nearly 18,000 Orion clients. But as sophisticated as the breach of the Orion tool was, the malware distributed used well-known hacking techniques to compromise systems – techniques like brute-force password guessing, phishing messages, seeking out unused and easily-infiltrated administrator accounts and the like. These techniques – and their antidotes – have been around for years. What should really concern us is that organizations are still vulnerable to basic attacks like these, despite years of education and billions of dollars spent to protect against them.
The SolarWinds attack was termed a “grave risk to the Federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the Cybersecurity and Infrastructure Security Agency (CISA) said in a statement, adding that hackers were able to use the Orion updates to gain access to assets in victim organizations. But it’s what happened after the breach that is truly shocking. Had companies implemented basic cybersecurity, they would have been able to survive the breach. Unfortunately, it seems that the level of cybersecurity maturity among many organizations is still far less than it should be – and after having experienced many cyberattacks and cyberthreats over the years, these organizations should have known better.
The techniques used by the deployed malware are easily defended against. Password spraying – in which hackers try to hack into accounts using common passwords – is easily prevented by ensuring that users have more sophisticated passwords. “Inappropriately secured administrative credentials” can include accounts that were once used to access important assets but have since fallen into disuse; they may have been set up for temporary use, and often have very basic passwords (of the abc123 type). If those accounts are eliminated, then they can’t be used to access assets. And there’s always good old-fashioned phishing; hackers could send an e-mail from a compromised account to employees posing as managers, demanding copies of files, rights to access directories, etc. A good organizational security policy will ensure that employees don’t fall for such fake messages.
In fact, it may have been a password breach that gave hackers access to Orion in the first place. According to reports, the server used by SolarWinds to distribute updates was compromised in 2019, with its password – solarwinds123 – publicly exposed. While there’s no evidence that hackers accessed the update server via that password, the fact that it could be accessed with a relatively unsophisticated password is very concerning, to say the least.
It’s not as important to know whether the party (or parties) behind the SolarWinds hack were Russian, Chinese, both or neither, the fact is, they were able to pull off a coup; compromising some 18,000 organizations, including some of America’s largest corporations and numerous Federal, state and local agencies and government is a feat that must force a reevaluation of how we protect ourselves.
Perhaps the first step in that reevaluation needs to be that protection starts at the basic level; that shoring up our defenses against the most common – and recurring – attacks will go a long way to securing our systems. With strong basic security, we will be in a much better position to defend ourselves against the “grave risks” posed by SolarWinds-level breaches.