Network Breaches through Network Management Systems

  

 

 

 

 

 

 

 

 

Network Breaches through Network Management Systems 

 

 

 

 

Robert Wahlstedt 

Grand Canyon University 

CYB 525-0501 

Dr. Li 

January 28, 2021 

 

 

 

 

 

 

 

 

 

What Happened 

During December of 2020 it became known that during April through June there was a major data breach using a computer network management system called SolarWinds Orion which also used similar products to Orion from SolarWinds.  SolarWinds is a product for automating network infrastructure and change management. While working at an organization the size of the American Red Cross, we use a similar product which helps maintain our security posture through uniformity.  Products such as service management tools such as Microsoft InTune and ServiceNow allow users to do tasks such as request new software installed on their laptops and the service management tool works through an approval process (Williams, 2020).  This indicates to me that there is some sort of permissions that is stored within the configuration management system if these permissions only consist of read only.  The purpose of the data breach was to push a malware package called Sunburst.  This Sunburst had features which made it particularly difficult to detect including not sending data right away (Fireeye noted a 40-to-60-day lag) to an outside party.  A common mechanism of an antivirus program is to use a sandbox to execute the code and see if the software did anything abnormally malicious.  When there are large gaps of time, it is hard for companies to know what backups set to use because the timeline is complicated.  The reason why we know about the virus today is because there were two major vendors that have a huge cyber security budget, Fireeye and Microsoft which both had breaches shortly after one another in the summer of 2020.  Microsoft was fearful that this databreach could be used to gain access to their proprietary code which could be arguably the most important asset that Microsoft has.  Fireeye is a known security vendor who has extensive research on this topic after their own breach.  They concluded that one element that the victims of the attack had in common was they were using SolarWinds software.  Fortinet notes that the malware has mechanisms to detect whether Wireshark is being used in the environment they are attempting to connect to (Yavo, 2020).  Since SolarWinds creates their own packet management software many of these victims were relying on this product instead of Wireshark (SolarWinds Introduces New Deep Packet Inspection Free Tool to Simplify Wireshark® Data Analysis, 2014).  Why are the attackers, which at this point some cyber security professionals attribute to a state sponsored organization trying to infect large organizations such as the United States government, afraid of Wireshark? Because Wireshark is an open-source software which could be used to share intelligence across organizations.  For a conversation to be followed in Wireshark it must be decrypted.  An unencrypted protocol is the process of querying a DNS server.  Because of the United States government covering such a vast number of internet endpoints and Wireshark’s packet capture comparison feature, the domains which are used by the malware authors to communicate with their victim's machines can be found out (Evans, 2020).  The United States CISO recommended updating the content pushed for SolarWinds and until then discontinuing the use of SolarWinds (U.S. Government Takes the Wind Out of SolarWinds Sails, 2020). 

 

What did the attacker did during the breach? 

Since most workers are working from home during the COVID 19 pandemic, this is causing a difference in how malware can move laterally through a networkIn the conventional architecture, the machines would be inside a local area network separated from external communication through a firewallBecause many people are working from home, securing the cloud is more important now than the emphasis on the model which some security researchers describe as an Oreo cookie with two hard shells and a soft insideThe attackers demonstrated that there are ways of machine-to-machine compromise even without connecting to a network. 

 

Effects on various Shareholders 

There were many victims of the propagated Sunburst malware infection including Microsoft, Nvidia, Cisco, and Checkpoint. The fact that this list includes security vendors could have huge implications for these organizations including their reputational assetsAnother aspect with this attack is that supply chains are analyzed, and I predict that many would value having their software audited as opposed to choosing perhaps a cheaper alternative.  Also, this raises the question of whether two factor authentication logons are good enough if there are system services which are built in which could be utilized by applications such as SolarWindsThis experience could be a good learning experience for security practitioners to evaluate cloud-to-cloud security. 

 

References 

Chan, Z. (2020). Why the SUNBURST Incident is More Alarming than the FireEye’s Hack | Hacker Noon. Hackernoon.com. Retrieved 24 January 2021, from https://hackernoon.com/why-the-sunburst-incident-is-more-alarming-than-the-fireeyes-hack-km2s31i8. 

Evans, K. (2020). SolarWinds breach: Insights from the trenches | Live incident response demo | Cyber Work Podcast. YouTube. Retrieved 24 January 2021, from https://youtu.be/5lc4HtmEYl4. 

Novinson, M. (2020). 10 Things to Know About The SolarWinds Breach And Its U.S. Government Impact. CRN. Retrieved 24 January 2021, from https://www.crn.com/slide-shows/security/10-things-to-know-about-the-solarwinds-breach-and-its-u-s-government-impact/3. 

Packet Capture Tool Network Packet Monitor Software | SolarWinds. Solarwinds.com. (2021). Retrieved 24 January 2021, from https://www.solarwinds.com/network-performance-monitor/use-cases/packet-capture. 

SolarWinds Introduces New Deep Packet Inspection Free Tool to Simplify Wireshark® Data Analysis. Solarwinds.com. (2014). Retrieved 24 January 2021, from https://www.solarwinds.com/company/press-releases/solarwinds-introduces-new-deep-packet-inspection-free-tool-to-simplify-wireshark-data-analysis. 

U.S. Government Takes the Wind Out of SolarWinds Sails…for the Time Being!. CISO MAG | Cyber Security Magazine. (2021). Retrieved 24 January 2021, from https://cisomag.eccouncil.org/us-government-takes-down-systems-containing-solarwinds-orion-tool/. 

Williams, J. (2020). SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack. YouTube. Retrieved 24 January 2021, from https://youtu.be/qP3LQNsjKWw. 

Yavo, U. (2020). What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labs. Fortinet Blog. Retrieved 24 January 2021, from https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack. 

 

Comments

Post a Comment

Popular posts from this blog

SSL strip with http and https

I  used Wireshark to set up a wireless network.  A Cisco wireless access point has 12 access points as indicated in the IEEE 802.11a standard.  When choosing what channel to use it is possible to use Wireshark to determine how much latency time there is in a channel.  Some protocols take longer than other protocols and use the network more intensively.  A few years ago, I was using a wireless bridge at a church to connect the main building and a second building.  We were wondering why a computer could access a web page but could not access our SQL server.  We used Wireshark to determine that the SQL protocols are more intensive than web traffic.   I have played around with SSL strip and noticed that either adds or r eplaces http with https or the reverse .  For example, should a person log into Facebook with http instead of https we can get access to what they send across as their password.  The lock item appears so they be...
Read more

Open Daylight and OpenFlow

  I came across an interesting page on EdX which talked about virtualizing network activities.  The comparison was drawn from when older computers such as IBM used to be sold, they came with an operating system produced by IBM.  Microsoft came along and produced an operating system which used a hardware abstraction layer so the same software could run on computers made by different manufacturers such as HP.  The same thing is happening with networking equipment.  It used to be that a switch used an ASIC to do certain tasks.  Like how server and storage was virtualized software defined networking defines how switches operate today.  Now with projects such as Open Daylight and OpenFlow which are open-source software.  Facebook was an early developer who made their own switches in hopes of getting the price to go down and they gave their infrastructure code to the community.  Cisco responded by coming up with App Centric Infrastructure which they hoped would stop the bleeding by...
Read more

Cancer

          Liberty University    Master of Science Health Informatics    BIOM 500-D01 LUO               Bacterial Agents in Cancer Development      Robert Wahlstedt    ID:  L29900431    March 24, 2019     Words: 7 31     The method of studying a section of human anatomy and contrasting it with other diseases can be helpful for understanding the prognosis of both diseases. An example of this is contrasting tuberculosis with cancer. A micro-environment can refer to the immediate small-scale environment of an organism or a part of an organism, especially a distinct part of a larger environment. Within the human body there are epithelial tissue which provides a surface for many internal and external surfaces of the body. Its role is as a protective barrier which filters the absorption of materials. When a foreign invading particle which the body is not...
Read more