After the SolarWinds Hack, Is SUNBURST Malware on Your Network? Find Out.
Do hackers have a backdoor into your network? This is the key question that organizations around the world are struggling to answer in the wake of the recent SolarWinds hack. The company’s Orion software, which is deeply embedded in the networks of tens of thousands of organizations, was infected with the “SUNBURST” malware that gave hackers the ability to remotely access SolarWinds’ customer systems. Late last week, researchers found a second backdoor named “SUPERNOVA” that Microsoft identified as separate and likely unrelated to SUNBURST.
The potential ripple effects of the SolarWinds hack are huge. SolarWinds’ customers include high-profile tech companies such as Microsoft, who confirmed that the malware had been installed on their network, as well as the top US accounting firms, 425 of U.S. Fortune 500 companies, the United States DoD, DoJ, and DHS, as well as many other government agencies. The hackers (who have reportedly been tied to the Russian government) could have used their access to plant malware in other products, steal data repositories and encryption keys, or gain footholds in many other organizations.
How Do You Know If Your Data is at Risk from the SolarWinds Hack?
Here are key questions that all organizations should be working to answer right now:
- Was the SolarWinds malware installed on your network? If so, what data and IT resources were accessed by the hackers?
- Have any third-party suppliers that you rely upon been affected by the SolarWinds malware? If so, were your data or IT resources accessed?
Make sure to concurrently engage in proactive communications with your stakeholders and community, even before you have definitive answers.
How Do You Know If Your Network is Infected with Malware after the SolarWinds Hack?
Your first step is to determine whether the hackers installed a backdoor on your network. SolarWinds has disclosed the precise version numbers of the software affected, so if you do use the Orion software, check the company’s security alert and determine whether your organization installed an affected version at any point. Continue to monitor SolarWinds’ Security Advisory and FAQ, which they are updating as they learn more.
If you or your suppliers were part of the SolarWinds hack, proactive threat hunting is a smart strategy. The SUNBURST malware is highly sophisticated, and hackers may have installed additional malware or backdoors even if the original backdoor was previously removed. Likewise, the SUPERNOVA malware is also highly sophisticated, and information available at this time indicates that the malware exists on systems as a DLL file named ‘App_Web_logoimagehandler.ashx.b6031896.dll’ which could allow remote code execution. Make sure to add the known indicators of compromise and malware signatures to your cybersecurity monitoring software, and continue updating and engaging in monitoring as the analysis unfolds and new indicators are identified. Proactive threat hunting services can help you quickly identify if malware is lurking in your network.
If you do find evidence of SUNBURST, SUPERNOVA, or a related threat on your network, refer to CISA’s Emergency Directive 21-01 for a helpful response checklist. Given the risk of potential data exposure, it is wise to engage in forensic evidence collection prior to rebuilding or modifying affected systems.
Check Your Own Supply Chain
Every organization relies upon third-party suppliers to store, process and facilitate access to data. These can include:
- Cloud providers such as Microsoft that host data
- Hardware and software vendors such as Cisco (which recently confirmed it was affected)
- Managed service providers (MSPs) (an especially high risk since SolarWinds designed products for MSPs to use to manage customer networks)
- Security firms such as FireEye that have a foothold within thousands of additional customer networks
- Professional services firms such as attorneys and accountants that store or process your sensitive data, and may themselves have been impacted by the SolarWinds malware
Do your due diligence! Do not assume suppliers will proactively contact you if they have been affected by the SolarWinds hack (even if it is ethically the right thing to do). Many suppliers are frightened of potential liability if they have been hacked or simply do not have the resources to conduct a proper investigation.
Instead, proactively reach out and ask suppliers to answer if they were affected by the SolarWinds hack. Your proactive approach should include the following steps:
- Prioritize your suppliers based on their access to your sensitive data and/or network resources. Identify suppliers that store or process sensitive data on your behalf, or which have a high degree of access to your IT resources and focus on following up with these organizations first.
- Ask your suppliers to confirm, in writing, whether they used an affected version of the SolarWinds Orion product. If so:
- Determine whether the supplier responded appropriately to remove the malware and scope the incident.
- Evaluate the risk that your sensitive data and/or IT resources could have been impacted due to malware on the supplier’s network.
- Ask your suppliers if they are actively assessing risk due to their supply chain, and if so, whether any evidence of compromise has been identified (fourth and even fifth party risks are real and have led to many data breaches and cybersecurity incidents).
- Make sure to give your suppliers a deadline for responding, so that you can coordinate your own response and public relations efforts.
The Bigger Picture: Supplier Risk Management
Ultimately, the SolarWinds hack has brought to light the potentially grave risks posed by supply-chain cybersecurity threats. Now more than ever, it’s critical for all organizations to build a robust supplier risk management program. Here are some tips for ramping up your supply chain risk management program quickly:
- Keep it simple. “I frequently advise companies not to overcomplicate it,” says Madison Iler, LMG’s Chief Strategy Officer. “It is better to get something simple and consistent in place for your higher-risk vendors, then take steps to expand and build upon what you have started.”
- Categorize your vendors based on data sensitivity and criticality of services.
- Take a risk-based approach, prioritizing higher-risk vendors first.
- Establish standard questionnaires and forms for your supplier risk assessment, to speed the process.
- Collect information from your vendors. Make sure to consider who within your organization is the primary point of contact and involve them in the discussion.
- Evaluate the information from your vendors. Assign someone on your team to review responses. Provide a clear timeframe and ensure that all reviewers have the skills and background they need to make informed decisions.
- Engage in consistent tracking and follow–up with key suppliers. Ensure that any gaps are remediated in a timely manner, and new issues are identified and addressed.
Once you’ve established your supplier risk management standards:
- Ensure that your expectations are codified in your legal agreements with suppliers whenever possible.
- Include your suppliers in your incident response plans and training exercises, so that responders know how to effectively work together in the event of a cybersecurity crisis.
The SolarWinds hack is a national security crisis that will affect every organization. Respond proactively by evaluating your own risk of compromise, and make sure to reach out to assess the risk posed by your suppliers as well. Above all, this case illustrates the importance of effective supply chain cybersecurity risk management programs. Even a quick and simple vetting process can help you identify key risks and make smart cybersecurity choices.
Note: LMG Security does not use SolarWinds software and has not been directly affected by this issue. We are actively engaging in discussions with our suppliers to evaluate risk, and to date we have not found any evidence that our firm’s sensitive data or resources has been affected. We will continue to update our community as the SolarWinds crisis unfolds.