InfoSec Insider

A Tale of Two Hacks: From SolarWinds to Microsoft Exchange

Oliver Tavakoli, CTO of Vectra AI, discusses the differences between the massive supply-chain hack and the Exchange zero-day attacks, and their legacy and ramifications for security professionals.

The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals, and affected tens of thousands of organizations. But that is where the similarity ends.

The SolarWinds hack was a “supply-chain” attack on approximately 18,000 purchasers of the company’s Orion software. Two things make it particularly bad. One, Orion clients include numerous large enterprises and U.S. government agencies. Two, Orion is an “infrastructure monitoring and management” tool. It is well-placed within target networks to reach pretty much any other asset, making it an ideal base camp for an attacker to pursue many goals.

Other elements of the SolarWinds hack are disturbingly familiar. This attack is attributed to a group which Mitre, the nonprofit research organization, has dubbed APT29. You may know APT29 by another name: Cozy Bear. Cozy Bear is also blamed for hacking the Democratic National Committee in 2015. It’s believed to be connected to the Russian Foreign Intelligence Service (a.k.a. SVR), which generally collects information, while the GRU, the Russian Military Intelligence Service, weaponizes it.

While APT29 tends to cycle through offensive tools they use at any point in time, much of their arsenal is not new. The SolarWinds hack involved the use of Cobalt Strike BEACON for the backdoor – Cobalt Strike is a framework used by red teams for adversary-attack simulation and is well-known to all threat researchers. The twin shocks we must now assess with SolarWinds are the unprecedented scope of the assault – and that we got hit so hard with such recognizable weaponry.

The second hack was against Microsoft Exchange servers and had a more familiar trajectory: Attackers found a series of zero-day vulnerabilities that could be chained together to break into any Exchange servers that were internet-accessible – and steal all the emails and files stored on them. Depending on how you want to measure damage, these vulnerabilities affected 250,000 Exchange servers, of which at least 30,000 appear to have been compromised.

The unnerving subplot behind the Exchange server hack was that there was a race against the clock as the attackers seemed to have found out that Microsoft was about to issue patches for the vulnerabilities. So, the attackers tried to compromise as many servers as possible before Microsoft could distribute the patches. Even though Microsoft sped up the path release by a week, most of the damage was done in the 10 days before the patch was issued.

Both hacks involved nation-states. The SolarWinds hack drew ire because some believe supply-chain hacks are beyond the pale as they cause too much collateral damage – only a relatively small subset of the 18,000 affected organizations were likely hacked, but it’s hard to know for sure if you were one of the lucky or unlucky ones. The Microsoft Exchange server hacks drew ire because in the rush to hack as many servers as possible before the issuance of the patches, information about the exploits seems to have gotten around to a number of less-scrupulous bad actors. Rather than just being used for information-gathering, the Exchange server hacks have already resulted in several attempts to ransom stolen data.

So, let’s try to calibrate our outrage. Whether a malefactor uses reverse-engineering to discover an exploitable zero-day vulnerability in enterprise software (the Exchange server hacks) or launches an attack to embed a backdoor (SolarWinds), the damage is calculated roughly the same way. In either case, hundreds or thousands of organizations are compromised and tens of thousands of organizations are left wondering how much remediation they must do to establish that some offshore adversary isn’t camping out on their network.

Either scenario is messy and expensive. No affected organization could be fully certain of finding and evicting such an adversary. And, at least in the SolarWinds case, most of the affected organizations were probably never in Cozy Bear’s crosshairs anyway.

Some truths of cyber-conflict seem eternal. We’ve been saying for at least a decade that the rules are continuously shifting, and we all suffer from the absence in this sphere of norms, conventions and “red lines.” Certainly taking out a country’s power grid via a cyberattack would be considered crossing the red line. But while we have the Geneva Conventions, the Chemical Weapons Convention and other rules for kinetic conflict, it has always been difficult to draw similar constraints around espionage or information-gathering. Even nation-states which have leveraged ransoms to obtain hard currency have escaped relatively unscathed.

Where does this leave us? We have to become much more formidable defenders. We need to get better defenses in place, since good posture and controls reduce available attack surfaces and help contain possible conflicts. We need to become better at detecting things which have gone awry in our environments and responding early in the attack lifecycle – while there is still a reasonable chance of minimizing damage. This will take better tools, more imaginative processes and a cadre of well-trained professionals.

It’s sobering that this isn’t new advice. With the broad and alarming implications of these new attacks, may this be the moment government and businesses alike finally give the remedies the priority they deserve – and take the lessons of the past four months to heart.

Oliver Tavakoli is CTO of Vectra AI, a San Jose, Calif.-based cybersecurity company.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles