The Cybersecurity and Infrastructure Security Agency (CISA) released on Tuesday its recommendations, in response to the SolarWinds Orion software supply chain cybersecurity incident that affected, and possibly continues to impact, networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations, in addition to information on the widespread abuse of commonly used authentication mechanisms.
The security agency released the ‘Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise’ web page to provide actionable guidance to organizations affected by this advanced persistent threat (APT) activity. Although the guidance on the web page is directed to federal departments and agencies, CISA encourages affected critical infrastructure entities and private sector organizations to review and apply it, as appropriate.
In addition, it issued ‘CISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk Decisions for Leaders,’ in order to support executive leaders of affected organizations in understanding the threat, risk, and associated actions they should take in response to the APT activity. The CISA Insights specifically applies to organizations with affected versions of SolarWinds Orion that have evidence of follow-on threat actor activity.
For the last three months, U.S. security agencies have been tracking, assessing, and mitigating the SolarWinds supply chain cyber incident, which was likely caused by an APT actor, who may be deeply burrowed in compromised networks, and full eviction will be costly, highly challenging, and complex, according to CISA. The hackers targeted and gained persistent, invasive access to select organizations’ enterprise networks, their federated identity solutions, and their Active Directory or Microsoft 365 environments.
In the case of Microsoft cloud systems — Azure Active Directory (AD) and Microsoft 365 environments, the actor was able to exploit privileged access to collect and exfiltrate sensitive data and created backdoors to enable their return.
The APT actor only targeted a select group of organizations affected by the SolarWinds Orion compromise for follow-on network exploitation, CISA said. Using incident response, the security agency was able to ascertain that the threat actor obtained initial access by password guessing, password spraying, and exploiting inappropriately secured administrative credentials via remote services.
Once inside the network, the threat actor bypassed multi-factor authentication (MFA) and moved laterally to Microsoft cloud systems by compromising federated identity solutions, according to the agency. The threat actor stole the Active Directory Federation Service (ADFS) token-signing certificate to forge tokens and modified or added trusted domains in Azure AD.
The actor used that privileged access to collect and exfiltrate sensitive data and created backdoors to enable their return, and used techniques, other than the supply chain compromise, to access targeted networks, the security agency added. The threat actor only targeted a select group of organizations affected by the SolarWinds Orion supply chain compromise for follow-on network exploitation.
Failure to perform comprehensive remediation activity and evict the adversary will expose enterprise networks and cloud environments, to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erode the public trust of their networks, it added.
To better cope with the threat actor, CISA recommends that leaders of organizations with compromised networks should immediately assess the risk to determine the severity of the network compromise and long-term risk to their organization if the actor is not evicted from networks. In addition, they should allocate time and resources. As eviction is a three-phase process made up of pre-eviction, eviction, post-eviction, it will be complex and resource-intensive, and will require the network to be disconnected from the internet for several days, the agency added.
This recommendation becomes close to impossible for U.S. government agencies and critical infrastructure entities to carry out. The operational technology (OT) environment, made up of capital-intensive, massive legacy systems, which may not always be modern or state-of-the-art, focuses on operational requirements and meets the needs of physical safety of processes, people, and technology.
The OT systems are designed to run consistently and continuously, often in challenging environmental operating conditions. These control systems cannot afford any sort of abrasions or abnormalities in the process systems themselves or in the equipment that may cause problems in reliability, productivity, or safety. System and asset integrity are paramount, and failures or downtime can be costly and potentially catastrophic.
“OT cyber incident response is something that you want to run with an experienced partner who genuinely understands your environment, and who won’t blindly start a trial-and-error approach based “classic” IT response – regardless of leading-edge technology and proven excellence,” according to a recent PwC insight. “It’s something that requires proper tooling, processes, preparation, and coordination,” it added.
CISA also recommends that users consider engaging with third-party companies, who have experience with APT activity, in case the necessary resources are unavailable in-house.
The cyber incident began in December when the CISA issued Emergency Directive 21-01, following a known compromise affecting SolarWinds Orion products. The agency advised immediate disconnection of the affected devices, which were exploited by malicious actors. The Emergency Directive asked all federal civilian agencies to review their networks for indicators of compromise, and disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.
In January, U.S. security agencies set up a task force, known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from the NSA, to coordinate the investigation and remediation of the impact of the supply chain cyber incident. At the time, the opinion was that the APT actor was likely Russian in origin and responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.