In light of the SolarWinds breach, we want to help our customers who may have questions as well as the larger security community. The VMware Carbon Black Threat Analysis Unit (TAU) has been steadfastly monitoring the evolving situation as we learn more about the supply chain compromise.
We caught up with Greg Foss, senior cybersecurity strategist at VMware Carbon Black to get his insights on the recent news and what organizations can do to stay protected.
As you’ve learned more about the SolarWinds breach, what are some of the unforeseen details of the attack?
Greg Foss: “The most surprising thing to me is the level of sophistication that was involved in both pulling off this attack and the defense evasion techniques employed within the SUNBURST malware itself. To embed this malware, they had to understand deep inner workings of the SolarWinds development pipeline, coding principles at play, and even network topology. It was incredibly impressive how they did it all while managing to not infect the SolarWinds network itself – ensuring their malware would successfully be deployed to their customer base.
Because of this, they were able to deliver their payload to more than 18,000 customer deployments. Additionally, once deployed, they leveraged unique infrastructure for each victim. All of this done to evade sandboxing and security controls, allowing them to remain embedded and hidden for many months before being uncovered. I would even go as far as to say that the only reason they were found out was because they went after one of the few companies well-equipped enough to uncover this activity and begin putting the pieces together after the fact.”
What additional intelligence has the VMware Carbon Black TAU discovered about the breach?
Greg Foss: “These situations call for a rapid response. Our TAU team quickly analyzed the full scope of the attack and implemented dynamic detections and prevention measures across the entire VMware Carbon Black product line. These tools help protect our customers by providing them with best practices for threat hunting and by keeping customers updated on new insights as they emerge.”
What elements of the breach do you think are keeping security professionals up at night?
Greg Foss: “The big thing here is the fact that compromising a network management software such as SolarWinds can provide the adversary with basically unlimited access to the network. For all impacted customers, they must assume that the attackers gained access to all credentials contained within the system, and they must begin to threat model based on this core understanding. It is highly likely that the attackers have obtained domain administrative credentials, even including Golden or Silver Kerberos tickets, which will require rebuilding of the Domain Controllers themselves. This also extends to network configurations, API keys, PKI, etc. Essentially every aspect of the target environment could be in the hands of these adversaries at this point, and the known IOCs that have been publicly released are of no use going forward, as the adversary is obviously extremely OPSEC aware. Based on the intelligence that we currently have, it appears to be a Russian nation-state adversarial campaign, and therefore has an espionage angle. The impact of this could be far reaching, especially when you consider the level of sophistication required to pull off such an impactful attack.”
How long do you think it will take to uncover the full impact of the breach, or will we ever know the full extent?
Greg Foss: “I think it’s going to be months, if not years, to fully understand the impact of this. We’re all still reeling with the immediate scope, breath, and depth of this attack. As of now, we’re only just learning about the attackers’ motivations and as we continue to uncover more information, that is going to lead to additional stones that must be unturned.”
What advice are you offering customers?
Greg Foss: “We have added detections and tools across the entire product line. Everyone at every level is doing what they can to ensure customer protection and provide support. We recommend customers to take a proactive approach, if they are using SolarWinds Orion, assume compromise and begin to take actions around discovery and remediation.”
Take Action: Recommendations from VMware Carbon Black TAU
- If you’re using other SolarWinds products, threat model your attack surface as it relates to those products.
- For customers that leverage SolarWinds, isolate the server from the internet, if possible.
- Orion holds credentials, such as Domain Administration, API keys, networking credentials standalone host accounts, etc. Consider everything SolarWinds had access to be compromised.
- Review all network device configurations for any unexpected modifications.
- Perform active threat hunting.
- Leverage this incident to increase your coverage and visibility, specifically as it relates to the possibility of supply chain compromise of critical infrastructure.
Best Practices for VMware Carbon Black customers
- VMware Carbon Black App Control: Set all endpoints in High-Enforcement, default-deny, with Suspicious Command Line Protection and Suspicious Application Protection Rapid Configs enabled.
- VMware Carbon Black Endpoint Standard: Detections provided and updated through our cloud analytics. We recommend being on the latest 3.6 Windows sensor which provides the most up to date prevention coverage. Threat Hunting query: parent_name:solarwinds.businesslayerhost.exe
- VMware Carbon Black EDR and Enterprise EDR: We recommend upgrading to the 3.6 sensor, for additional AMSI telemetry, and access the new dynamic rules updates. This provides additional protection against potential follow-on attacks using compromised credentials or weaponizing access to legitimate organizations.
Additional insights:
- TAU: SolarWinds SUNBURST / Solarigate Incident threat report (for Carbon Black Exchange users)
- VMware Carbon Black Threat Research
- SolarWinds Breach Overview
- Sunburst Threat Analysis
This blog may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.
- Cybersecurity and Infrastructure Security Agency (CISA), “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.” December 2020.