SlideShare una empresa de Scribd logo

The Seismic Impact of the SolarWinds Hack

Descargar como PPTX, PDF
N
Nicole Fucile-Borsian

Topic: Analysis of the SolarWinds exploit Axel Kloth, Founder and CTO of Axiado, shares his insights on the so-called SolarWinds hack in 2020. This discussion will cover: - How it happened - Why it is dangerous - What we can and should expect in the aftermath - Why it is so difficult to remove and prove that it is gone The presentation is followed by a Q&A session with event attendees.

Tecnología
1 de 15
The Seismic Impact of the SolarWinds Hack IFTBOH 2021 Kickoff Meeting © 2021 Axel Kloth, Founder & CTO of Axiado IFTBOH Member
What is the SolarWinds Hack? • In the press, you’ll see phrases such as “supply chain attack”. • While that is a correct classification, it does not really explain how it came about and what it is, and neither does it tell us what the severity of the hack is. • Let’s analyze it (and I’ll try to keep it as simple as I can).
SolarWinds – Background and Tools • SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. (from Wikipedia) • SolarWinds has an impressive list of tools available, some for free, that help system and network administrators with operation, administration, maintenance and provisioning (OAM&P) of networks and servers. • OAM&P tools have become a must-have since data centers grew to thousands, if not hundreds of thousands of servers, in each one of them. • Manual OAM&P had become impossible a decade ago.
SolarWinds Toolset Overview • Network Automation • Performance Monitoring • Bandwidth Analysis • Manage Configs • IP Address Management • Switch Port Management • VoIP Monitoring • Troubleshooting Tools
SolarWinds Toolset Overview • The toolset is intended to help system and network administrators in deploying infrastructure and troubleshooting elements of the infrastructure. • By the very nature of these tools, probing and testing is crucial. • The same applies to updating elements – firmware and software. • That’s where the trouble begins.
Trouble in Paradise • The OAM&P tools mostly run on Linux. • They are deployed from a set of servers that manage the users’ or the tenants’ servers, routers and switches as well as firewalls and other infrastructure. • These tools must have high levels of privilege to work properly. • For any kind of firmware updates, they must have access to the administrators’ username (usually “root” or “admin”) and the passwords. • For industry-standard x86-64 servers, the usual path to update firmware is through the Baseboard Management Controller.
Baseboard Management Controller • The Baseboard Management Controller (or in short BMC) is effectively a PC inside the server to support server administration. • All BMCs in use today are based on ARM processor cores and run Linux or variants thereof. • They have full access to the server and its components. • They can update the servers’ and their own firmware.
BMC Communication • BMC communication is facilitated through an additional network port or a virtual port over a server’s network connection. • There is no innate or inherent support for any kind of hardware that improves access security to the BMC. • The communication between an OAM&P control center (often called an NMC for Network Management Center) and the data center is assumed to be through an IPSec Virtual Private Network (VPN) tunnel, with a set of firewalls on both ends. • BMCs do not support security functions in hardware for above reasons – the communication is assumed to be secure.
Attack Scenario • Use the OAM&P Software to penetrate the BMCs in target data centers. • Once the BMC is penetrated and under the attackers’ control, use the BMC features to install malicious firmware for the servers and their BMCs to the degree needed. • The server’s new firmware allows anything you want from exfiltrating username/passwords to outright theft of data from the servers and thus the data center. • You can even disable logging functions on the server, and since most firewalls are standard x86-64-based servers, disable the firewalls.
How do you get into the OAM&P SW? • SolarWinds defended itself well against all kinds of attacks. • They were not breached directly. • The attackers were smart enough to understand that an attack against SolarWinds directly would be detected. • Instead, they opted for an indirect attack.
Building Tools • Tools are built using internal (usually protected, version-controlled and signed) and external repositories. • It is not uncommon to see that a tool is built from thousands of different pieces of source code. • The build scripts for these tools are usually protected, version- controlled and signed as well. Breaching those is difficult. • Once an attacker knows which uncontrolled, non-versioned and unsigned pieces of source code or DLLs (pre-compiled source code) are included in the build, an attack path forms.
Compromising a Repository File • An attacker can pose as a legitimate developer of source code on any project, in any repository. • Pick an important file that – when included in the build – has access to crucial data. • Compromise this file, compile it and make it a DLL or any other non- reviewable piece of software, and contribute it to the repository. • On the next build of tools using the file you’ll be included (and have access to whatever you want).
Compromised Build • Once the compromised file is included in the repository, and the tool build has taken place, you have your desired backdoor into the tools, and therefore into any infrastructure that uses this toolset. • At this point in time you can log into the NMCs servers to access any client and tenant that is administered out of this NMC. • With that access you can compromise any server, router, switch and firewall in your target network. • If done right, it leaves no traces.
Implications • Even well-protected targets can be compromised, even when and if they log all server accesses. • You have access to anything you want. • Your target might never find out it was compromised. • Since your target does not know it was compromised, it might leak data permanently. • How do you clean up if you don’t know that you were compromised?
Conclusion • This is one of the worst imaginable hacks ever. • In essence, everyone must consider itself compromised and review its entire infrastructure. • Even well-protected targets with good security practices might be compromised and not know it. • There are already multiple variants out there. • Raindrop, Teardrop, Sunspot, and Sunburst are known and are confirmed deployed.

Recomendados

2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
Sirris
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscape
Jisc
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 

Recomendados

2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
Sirris
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscape
Jisc
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Social engineering
Social engineeringSocial engineering
Social engineering
Maulik Kotak
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
Avantika University
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
Ronald Soh
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Akshay Kale
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
KloudLearn
 
Incident Response
Incident Response Incident Response
Incident Response
InnoTech
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021
Amrit Chhetri
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
Infosec
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Social engineering
Social engineering Social engineering
Social engineering
Abdelhamid Limami
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
Linux.pptx
Linux.pptxLinux.pptx
Linux.pptx
Nitz18
 

Más contenido relacionado

La actualidad más candente

Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 

La actualidad más candente (20)

Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
Incident Response
Incident Response Incident Response
Incident Response
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Social engineering
Social engineering Social engineering
Social engineering
 

Similar a The Seismic Impact of the SolarWinds Hack

Similar a The Seismic Impact of the SolarWinds Hack (20)

An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Linux.pptx
Linux.pptxLinux.pptx
Linux.pptx
 
Lecture 4
Lecture 4Lecture 4
Lecture 4
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Server operating system
Server operating systemServer operating system
Server operating system
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
 
Chapter 1-1.pptx
Chapter 1-1.pptxChapter 1-1.pptx
Chapter 1-1.pptx
 
Networking Hardware Requirements.pptx
Networking Hardware Requirements.pptxNetworking Hardware Requirements.pptx
Networking Hardware Requirements.pptx
 
Lecture5 virtualization
Lecture5 virtualizationLecture5 virtualization
Lecture5 virtualization
 
Virtuaization jwneilhw pehfpijwrhfipuwrhiwh iufhgipuhriph riup hiuefhv 9ufeh
Virtuaization jwneilhw pehfpijwrhfipuwrhiwh iufhgipuhriph riup hiuefhv 9ufehVirtuaization jwneilhw pehfpijwrhfipuwrhiwh iufhgipuhriph riup hiuefhv 9ufeh
Virtuaization jwneilhw pehfpijwrhfipuwrhiwh iufhgipuhriph riup hiuefhv 9ufeh
 
COMP-111 Past Paper 2022 complete Solution PU BS 4 Year Program
COMP-111 Past Paper 2022 complete Solution PU BS 4 Year ProgramCOMP-111 Past Paper 2022 complete Solution PU BS 4 Year Program
COMP-111 Past Paper 2022 complete Solution PU BS 4 Year Program
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

The Seismic Impact of the SolarWinds Hack

  • 1. The Seismic Impact of the SolarWinds Hack IFTBOH 2021 Kickoff Meeting © 2021 Axel Kloth, Founder & CTO of Axiado IFTBOH Member
  • 2. What is the SolarWinds Hack? • In the press, you’ll see phrases such as “supply chain attack”. • While that is a correct classification, it does not really explain how it came about and what it is, and neither does it tell us what the severity of the hack is. • Let’s analyze it (and I’ll try to keep it as simple as I can).
  • 3. SolarWinds – Background and Tools • SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. (from Wikipedia) • SolarWinds has an impressive list of tools available, some for free, that help system and network administrators with operation, administration, maintenance and provisioning (OAM&P) of networks and servers. • OAM&P tools have become a must-have since data centers grew to thousands, if not hundreds of thousands of servers, in each one of them. • Manual OAM&P had become impossible a decade ago.
  • 4. SolarWinds Toolset Overview • Network Automation • Performance Monitoring • Bandwidth Analysis • Manage Configs • IP Address Management • Switch Port Management • VoIP Monitoring • Troubleshooting Tools
  • 5. SolarWinds Toolset Overview • The toolset is intended to help system and network administrators in deploying infrastructure and troubleshooting elements of the infrastructure. • By the very nature of these tools, probing and testing is crucial. • The same applies to updating elements – firmware and software. • That’s where the trouble begins.
  • 6. Trouble in Paradise • The OAM&P tools mostly run on Linux. • They are deployed from a set of servers that manage the users’ or the tenants’ servers, routers and switches as well as firewalls and other infrastructure. • These tools must have high levels of privilege to work properly. • For any kind of firmware updates, they must have access to the administrators’ username (usually “root” or “admin”) and the passwords. • For industry-standard x86-64 servers, the usual path to update firmware is through the Baseboard Management Controller.
  • 7. Baseboard Management Controller • The Baseboard Management Controller (or in short BMC) is effectively a PC inside the server to support server administration. • All BMCs in use today are based on ARM processor cores and run Linux or variants thereof. • They have full access to the server and its components. • They can update the servers’ and their own firmware.
  • 8. BMC Communication • BMC communication is facilitated through an additional network port or a virtual port over a server’s network connection. • There is no innate or inherent support for any kind of hardware that improves access security to the BMC. • The communication between an OAM&P control center (often called an NMC for Network Management Center) and the data center is assumed to be through an IPSec Virtual Private Network (VPN) tunnel, with a set of firewalls on both ends. • BMCs do not support security functions in hardware for above reasons – the communication is assumed to be secure.
  • 9. Attack Scenario • Use the OAM&P Software to penetrate the BMCs in target data centers. • Once the BMC is penetrated and under the attackers’ control, use the BMC features to install malicious firmware for the servers and their BMCs to the degree needed. • The server’s new firmware allows anything you want from exfiltrating username/passwords to outright theft of data from the servers and thus the data center. • You can even disable logging functions on the server, and since most firewalls are standard x86-64-based servers, disable the firewalls.
  • 10. How do you get into the OAM&P SW? • SolarWinds defended itself well against all kinds of attacks. • They were not breached directly. • The attackers were smart enough to understand that an attack against SolarWinds directly would be detected. • Instead, they opted for an indirect attack.
  • 11. Building Tools • Tools are built using internal (usually protected, version-controlled and signed) and external repositories. • It is not uncommon to see that a tool is built from thousands of different pieces of source code. • The build scripts for these tools are usually protected, version- controlled and signed as well. Breaching those is difficult. • Once an attacker knows which uncontrolled, non-versioned and unsigned pieces of source code or DLLs (pre-compiled source code) are included in the build, an attack path forms.
  • 12. Compromising a Repository File • An attacker can pose as a legitimate developer of source code on any project, in any repository. • Pick an important file that – when included in the build – has access to crucial data. • Compromise this file, compile it and make it a DLL or any other non- reviewable piece of software, and contribute it to the repository. • On the next build of tools using the file you’ll be included (and have access to whatever you want).
  • 13. Compromised Build • Once the compromised file is included in the repository, and the tool build has taken place, you have your desired backdoor into the tools, and therefore into any infrastructure that uses this toolset. • At this point in time you can log into the NMCs servers to access any client and tenant that is administered out of this NMC. • With that access you can compromise any server, router, switch and firewall in your target network. • If done right, it leaves no traces.
  • 14. Implications • Even well-protected targets can be compromised, even when and if they log all server accesses. • You have access to anything you want. • Your target might never find out it was compromised. • Since your target does not know it was compromised, it might leak data permanently. • How do you clean up if you don’t know that you were compromised?
  • 15. Conclusion • This is one of the worst imaginable hacks ever. • In essence, everyone must consider itself compromised and review its entire infrastructure. • Even well-protected targets with good security practices might be compromised and not know it. • There are already multiple variants out there. • Raindrop, Teardrop, Sunspot, and Sunburst are known and are confirmed deployed.