Executive Summary - SolarWinds Hack

When I first heard the news of this attack, exactly one week ago I largely ignored it. As the week progressed and I learned more details, our organisation and myself became obsessed. 

No stranger to SolarWinds / Orion, I spent much of the past decade running the IT operations of a global managed service provider and have intimate familiarity with this software. This product in particular was a key component in our ability to monitor network devices around the world. It was also my “albatross” and one of the major motivating factors to develop our own Network Monitoring System, Nemesis.

Here is a “Readers Digest” version of what was announced by the media this past week.

1. SolarWinds secures a critical server responsible for hosting software updates with a password: “solarwinds123”... eerily reminiscent of a scene from a Mel Brooks movie.
2. Some months ago, bad actors (as in the Russian hacker variety, not the Paul Riser, Shia Labeouf variety) gained access to the server by allegedly guessing this super secure password.   
3. The software update to their flagship product is hijacked and injected with a malicious, Trojan Horse, possessing yet to be disclosed capabilities. 
4. The compromised bits are subsequently downloaded by loyal customers who are of course, up to date in paying for their subscriptions. Neither the subscription server or the payment gateway were touched as other gems were deemed much more valuable.
5. SolarWinds must notify up to 18,000 customers of the breach and that potentially every single detail regarding the security, topology and operating environment of their networks has been exposed. These customers include: A vast number of both international and domestic ISPs and MSPs, Microsoft, the US Treasury as well as various other Federal, State, and local government agencies.

Before I read about the “luggage quality” password I was convinced that this was an inside job as so many of these software companies hire engineers in “hostile” countries to develop their products.  

While most of the compromised entities have varying degrees of security measures to protect against malicious code / viruses, spyware etc, the particular transmission vector of this attack was via a trusted third party and there were no protections for this style of “Supply Chain” breach. I’m certain that someone at SolarWinds filled out a form once stating that their software was “certified safe” .. that’s usually good enough right?

To those unfamiliar with network management tools, SolarWinds is the 800lb gorilla in the marketplace of SNMP software and to those unfamiliar with SNMP the (Simple Network Monitoring Protocol) is an application layer protocol first developed in the 1980’s and supported by nearly every single hardware device on the planet. No one owns the protocol, it’s an open standard and any company is free to implement tools that utilize it. 

The “Simple” in the acronym is a bit misleading as it is only “simple” in the way that a 8x8 Rubix Cube is simple. Mechanically straight forward enough but highly configurable and its genius is evident in how very little it has evolved in nearly 40 years.   

With SNMP, hardware vendors are freed from developing proprietary solutions and can utilize the industry standards to implement features. SNMP queries can be used to command and control every single aspect of their device. You want a little LED on the front of an access point in a hotel room to blink out Morse code? SNMP is a convenient way to make it happen. You want to change a critical network path or mirror a port on your router to send traffic elsewhere? Just run these few SNMP scripted queries.

If I had to choose a single system to target in order to disrupt and cause maximum damage to to my adversary's operations there would be no better place to start than with their Network Monitoring System. Once compromised you now have access to every network device and the blueprint for how this network operates. It’s like getting the master key that will open every hotel room door as well as the combination to every guest's luggage.

Addendum:

My intent in writing this post is not at all to further embarrass SolarWinds, their product does some great things that are incredibly difficult to accomplish. Like other such egregious attacks it will likely all be forgotten in the next news cycle but I am certain that the wounds inflicted by this breach will take some time to heal.