Secureworks Counter Threat Unit™ researchers continue to investigate and help customers respond to the sophisticated SolarWinds supply chain compromise last month. Our observations to date support third-party reporting that while many organizations received the trojanized software, only a fraction of those would see any follow-on activity that would indicate that they were targeted.
The repercussions of what has been discovered over the past 30 days are likely to be felt for months to come, and as we begin to take stock of what we have learned so far through the work we are doing with customers, two issues stand out:
Patching Matters
Investigations into the SolarWinds supply chain compromise led to the discovery of a second, unrelated threat actor exploiting a previously unknown (zero-day) vulnerability in internet-connected servers running SolarWinds Orion software to deploy a web shell (known as SUPERNOVA), steal credentials, and attempt to move laterally within compromised networks.
While a zero-day might have been leveraged to deploy the SUPERNOVA web shell, it is rare that we see adversaries leverage these vulnerabilities. There are a vast number of opportunistic threats like ransomware that continue to exploit well-known and patchable vulnerabilities. We must not lose focus on the critical importance of a comprehensive vulnerability management program including prioritized patching.
Identity is The New Perimeter
The compromise of SolarWinds Orion software to deliver malware was just one of what may turn out to be multiple attack paths. Having gained access, a sophisticated threat actor can stealthily subvert authentication mechanisms to reach sensitive resources hosted on cloud services such as email, chat messages and files. They can do this by:
Using on-premise intrusions to obtain privileges in cloud tenants. This might inv ..
Support the originator by clicking the read the rest link below.
