Over the weekend, one of the biggest software company Austin-based Solarwinds experienced a terrible security breach.
A massive supply chain attack was performed by hackers, resulting in infected networks of government agencies and even private companies.
Experts told the media that the hackers might be foreign state-sponsored threat actors. How did they do it?
How did it happen
Several government agencies including the US Treasury and Commerce Department and others more currently faced a massive hacking attack.
It was first claimed that a sophisticated set of Russian hackers, also known as APT29, or Cozy Bear, did the attack.
However, FireEye, a cybersecurity firm investigating the Solarwinds breach incident, has not yet named anyone who’s done the attack. Instead, they have given it a code name called, UNC2452.
In its recent blog post, the cybersecurity firm told the media that they figured out how the hackers could have done the massive breach.
As explained, the attackers first breached the software provider of Solarwinds. After this, they deployed updates for Solarwinds’ Orion software that were filled with malware inside. This will trick other systems to infect the networks of various companies and agencies, serviced by the company.
The second explanation
Though FireEye believed in this theory, security firm Volexity also shared insight on the incident.
On Monday, Dec. 14, Volexity told Ars Technica that they’d already experience the same hacking technique, with what happened to Solarwinds.
At the time, they noticed that the hackers were bypassing MFA protections provided by Duo. This was their entry point in the process.
After gaining access, “the hackers used those unfettered rights to steal a Duo secret known as an akey from a server running Outlook Web App, which enterprises use to provide account authentication for various network services.”
They had generated cookies, to be ready once someone with the right username and password would be needing to take over the account. The worst thing, Duo authentication server showed no attempts to alert the system.
“The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question,” said the cybersecurity firm. “Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.”
This process “remain undetected for several years,” according to Volexity.
It was not concluded that hackers in both companies were similar. However, the process could have been the same.
What Solarwinds is doing now?
Since the massive cyberattack is still fresh, Solarwinds company has already made improvements and changed most of its security system.
The agencies have not yet detailed what kind of information might have been stolen from the US government. FBI and other security experts have already gained control in the investigation, in order to figure out the intensity of the attack.
On Tuesday, Dec. 15, a Solarwinds new update called 2020.2.1 HF 2 will be released, in which “replaces the compromised component and provides several additional security enhancements.”