SolarWinds cyber attack
We’ve probably all heard of the massive cyber attack on SolarWinds, which offers IT monitoring and management software that gives organizations insight into what’s going on in their networks, where over 18,000 customers of the company unknowingly installed a malicious update somewhere between March and June 2020, which allowed attackers to gain access to confidential information and divert it away from target organizations. The attack damaged companies such as U.S. government agencies and also the largest companies such as Microsoft.
The company's first mistake was the password "solarwinds123" to access one of the upgrade servers and advising customers to disable antivirus scanning. The Orion product accounts for at least 45% of the company's revenue.
An intrusion into SolarWinds is known as a "supply chain attack", which is dangerous because of the exploitation of trust between the victim and the maintainers of the equipment. Thus, the infected orion update hid a Trojan named "supernova" in the dll file, but first went silent for two weeks before activation, then allowed the attackers to falsify users' electronic identities and gain access to other files where they targeted documents for the source code of various tools, suggesting that it was primarily an espionage campaign and currently shows no examples of destructive code.
With the help of malicious code, a back-door was built into the version, through which the SolarWinds cyber attack attackers gained access to the network. Among the victims of the attack were also the Ministries of Trade, Finance and Foreign Policy, which is a significant blow, as the CIS is said to be handling the cyber defense of the US government apparatus. In addition, the Pentagon, the Ministries of Energy, Health and Agriculture later fell victim.
Such threats can be mitigated and detected through monitoring, detection and response, thus creating a "zero trust" model. Endpoint security is an approach to cybersecurity that follows the principles of zero trust to focus on end-user devices - or endpoints. However, the goal is not to protect every single endpoint - desktop, laptop, virtual environment, etc., but the system as a whole. This is done by managing the flow of information between the network and the device, centralizing security and control, and at the same time decentralizing risk.
Simply put, if adversaries gain access to your network, Microsoft Defender will generate alerts for the endpoint that identify suspicious activity. Which is great. But who will manage and act on the warnings generated by the endpoint security system? The best security tools can add threats to quarantine and alert you to the problem. It is then your responsibility to correct the error / warning based on the information received.
At PRO.astec, we can review your systems and make recommendations on how to further improve your systems and patch security holes.
Written by Mr. Adrien Osenjak