The Inner Circle

Expand all | Collapse all

SolarWinds Orion and the Cloud Supply Chain

  • 1.  SolarWinds Orion and the Cloud Supply Chain

    Posted Dec 16, 2020 03:42:00 PM

    The SolarWinds hack that revealed vulnerabilities in FireEye, Microsoft, and other CSPs is another evolution in the war against cyber crime. Cybersecurity teams and security tools will be responding to the breach ensuring that the rest of us don't fall victim to a carbon copy attack.

    How are your security teams preparing against this specific threat?

    What are your teams doing to respond to future zero-day attacks?

    CSA hopes guidance on Cloud-Based, Intelligent Systems helps teams detect, analyze, and react in today's cloud-centric world. Read Paul's blog and download the publication:

    SolarWinds - How Cybersecurity Teams Should | Cloud Security Alliance

    Cloud Security Alliance remove preview
    SolarWinds - How Cybersecurity Teams Should | Cloud Security Alliance
    SolarWinds perhaps represents the most severe hack of the digital age. The playbook of our adversaries continues to evolve, but defenders are losing, and the gap is widening. Discussion of imposing consequences on adversaries seems pointless so long as we keep falling farther behind.
    View this on Cloud Security Alliance >



  • 2.  RE: SolarWinds Orion and the Cloud Supply Chain

    Posted Dec 21, 2020 10:13:00 PM

    Hi John, what vulnerabilities were revealed for Microsoft in the SolarWinds breach? I have read many articles on the topic and cannot find any evidence that Microsoft was a victim or a contributor. What led you to believe what you wrote about vulnerabilities in Microsoft and "other CSPs"?



    ------------------------------
    Paul Rich
    Executive Director
    JPMorgan Chase & Co.
    ------------------------------



  • 3.  RE: SolarWinds Orion and the Cloud Supply Chain

    Posted Dec 22, 2020 04:22:00 PM

    There is still more investigating before we have a complete picture. The Orion platform is deployed in a lot of cloud environments, including Azure. It was reported from Microsoft that Office 365 accounts and Azure Active Directory were main targets and some customers claim to be compromised. The malicious code from Orion did create back doors that were detected by major CSPs and, even though it doesn't appear that all have necessarily been exploited yet, it has caused a rapid response plan to take place.

    Microsoft showed an extremely quick and stringent response to the attack (shared in another post) on removing digital certificates used by the malware, updating Windows Defender detection, sinkholing the exploited domain, and immediate quarantining of malicious SolarWinds binaries on live customer servers that could disrupt overall server function.

    Without intending to throw up too many specific flares on this attack, the call to action comes to how can we better ingest, understand, and respond to today's complex attacks on cloud especially as we become more dependent on the growing cloud supply chain.




  • 4.  RE: SolarWinds Orion and the Cloud Supply Chain

    Posted Dec 24, 2020 03:55:00 AM

    Hi John,

    I agree with  @Paul Rich that your intro-text is a bit too short-sighted. There are no specific indicators that MSFT (or any other CSP for that matter) suffered 0day vulnerabilities. They gained access to those environments after already being in the on-prem network and using known TTP's.

    There is a good write-up on Bleeping Computer here: "The two tactics, techniques, and procedures (TTPs) discussed in NSA's advisory have been in use since at least 2017 and refer to forging Security Assertion Markup Language (SAML) tokens for single sign-on (SSO) authentication to other service providers."



    ------------------------------
    Saan Vandendriessche CCSP | CISSP | CRISC
    Brussels - Belgium
    ------------------------------



  • 5.  RE: SolarWinds Orion and the Cloud Supply Chain

    Posted 21 days ago
    Thanks for sharing references and thoughts here. I see where there may have been a misunderstanding in my original post but I'll leave it up as is since it was a free-flow of thought. I'm really encouraged by the interaction in Circle.

    My original thought was around coordinated disclosure in the cloud supply chain and modernizing a response to vulnerabilities and attacks up the stack. Reflecting back on past vulnerabilities like Meltdown and Spectre, SSRF attacks, and others, there was a rapid and organized disclosure between technology vendors and customers. I certainly applaud Microsoft and CSPs who took action quickly with the SolarWinds Orion threat and it this layered approach in cloud from the datacenters and up the technology/application stacks to the data owners that need to be measured and secured. And this will only get more complicated going forward without a coordinated detection, analysis, and response model.

    I hope this community can encourage more discussion on these types of topics.