SolarWinds and Accellion breaches: supply chain attacks wreak havoc

0

When it comes to cybersecurity, it is not possible to identify the biggest threat to organizations globally. However, supply chain attacks are doing their best to earn this honor. In a supply chain attack, a threatening actor infiltrates an organization’s system through a third party supplier or partner with access to their data and systems. In fact, according to an article in National Defense magazine, two thirds of offenses are the result of vulnerabilities from a vendor or third party.

As more vendors and service providers gain access to an organization’s data, the organization becomes more vulnerable to these attacks. There have been numerous supply chain attacks against organizations around the world. the SolarWinds attack and the Acceleration violation are two of the most prominent examples of such attacks. So let’s find out what really happened in these two cases, shall we?

Enter!

Here is an opportunity for you to stand out from the crowd!

To rejoin
our weekly Cyber ​​Times newsletter and become a member of our Cyber ​​Resilient community

The story of the SolarWinds hack

SolarWinds is a leading software company that provides thousands of organizations around the world with extensive technical services and system management tools for infrastructure and network monitoring. Hailed as the biggest data breach of the 21st century, the SolarWinds attack managed to establish itself among the life-changing events of the decade.

The breach occurred through the company’s IT performance monitoring system called Orion. As a result of this hack, threat actors gained access to the systems, data, and networks of thousands of SolarWinds customers who were using the Orion Network Management System to manage their computing resources.

How did it happen?

Hackers inserted malicious code into the Orion network management system, which has been used by many government and multinational agencies around the world.. Due to the addition of this malicious code, the SolarWinds Orion platform created a backdoor that allowed hackers to access accounts and impersonate users of victimized organizations.

The malware was able to access system files and blend seamlessly with legitimate SolarWinds activity without being detected. Hackers installed this malicious code in a new software bundle, which was sent to customers by SolarWinds as an update in early March 2020. More than 18,000 company customers have installed the update, allowing malware to spread undetected. Hackers used this hidden code to gain access to the computer systems of SolarWinds customers, using them to install even more malware.

Who was affected?

Several government agencies and commercial industry verticals around the world have been affected by the infamous SolarWinds hack. According to an SEC filing from SolarWinds, around 18,000 of its customers were using vulnerable versions of the Orion platform, which includes:

  • SolarWinds Orion Platform Version 2020.2 HF 1
  • SolarWinds Orion Platform Version 2019.4 HF 5
  • SolarWinds Orion Platform Version 2020.2

Even several government departments in the United States such as Homeland Security, Commerce, State, and the Treasury were affected by this breach.. A renowned cybersecurity company, FireEye, is the first known victim of this breach and was also responsible for disclosing the attack in December 2020. Numerous other NGOs and Fortune 500 companies were also victims of the breach.

(Source: Ars Technica)

When did it all happen?

Here is the list of major events associated with the SolarWinds Hack:

  • September 4, 2019: Hackers gained access to SolarWinds.
  • September 12, 2019: Hackers injected the test code and performed a test drive. They used a sophisticated injection source to insert the SUNBURST malicious code into the Orion Platform software.
  • February 20, 2020: Hackers compiled and deployed the SUNBURST attack.
  • June 4, 2020: Hackers removed SUNBURST malicious code from SolarWinds systems.
  • December 8, 2020: FireEye, a cybersecurity company discovered a flaw in its systems and launched an investigation.
  • December 12, 2020: FireEye reveals the breach was the result of a cyberattack on SolarWinds’ Orion platform.
  • December 15, 2020: SolarWinds has released a software patch.

Affecting thousands of organizations ranging from multinationals to government agencies, the SolarWinds hack has become the biggest example of the disastrous impact a supply chain attack can have.

Analysis of the famous Accellion violation

Accellion, a world-renowned company specializing in secure collaboration and file sharing software, suffered a zero-day attack targeting its File Transfer Appliance (FTA) software. Hackers exploited vulnerabilities in FTA software to launch attacks against numerous Accellion customers and partners. This supply chain attack has led to disastrous attacks on many well-known and prestigious companies around the world.

How did it happen?

Hackers exploited four zero-day vulnerabilities in File Transfer Appliance (FTA) software in December 2020. The four vulnerabilities included: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104. Malicious actors exploited these vulnerabilities to install an undetectable web shell called DEWMODE on Accellion’s FTA application. This backdoor allowed hackers to exfiltrate data from the networks of victimized companies.

DEWMODE is specially designed to extract files available on FTA database. Attackers are also able to erase all traces of their activity once they have obtained the data they are looking for. Weeks after hackers stole the data through DEWMODE, some victims received extortion emails claiming to be from the CLOP ransomware operation.

Who was affected?

Accellion Breachers Attacked Many of Its High-profile Customers and Customers. Some of the most famous victims of the breach include big names like Australian Securities and Investments Commission, Bombardier, Flagstar Bank, Kroger, Jones Day Law Firm, Qualys, Singtel, Reserve Bank of New Zealand, Royal Dutch Shell, Stanford University, Trinity Health, University of California and University of Colorado.

Although organizations from all sectors have suffered from this violation, it is believed that the the health sector is the most affected. The US Department of Health and Human Services was also a victim of this violation. In addition, at least seven other healthcare organizations in the United States have been affected by the Accellion breach. Sensitive data belonging to several victims was found published on the dark website CLOP operated by FIN11.

Dark Web Supply Chain Attack Victims Data Leaked
Dark Web Breach Victims Data (Source: Bank Info Security)

When did it all happen?

Here is the list of major events associated with the SolarWinds Hack:

  • December 16, 2020: Exploit triggered FTA’s built-in anomaly detector on a customer’s device, which immediately notified Accellion, triggering an investigation.
  • December 20, 2020: Accellion has released a patch to correct two vulnerabilities discovered during the investigation.
  • December 23, 2020: Accellion has released a patch to increase the Anomaly Detector checks to one per hour.
  • January 20, 2021: Another exploit has occurred.
  • January 22, 2021: Accellion learned of the new achievement through multiple customer service requests and launched an investigation. It has sent a critical security alert to its customers to immediately shut down their FTA systems.
  • January 25, 2021: Accellion released a new patch to correct the two new vulnerabilities discovered during the investigation.
  • January 28, 2021: Accellion has released a fix to increase the number of anomaly detector checks to one every 10 minutes.

Ranked among the most damaging mega-violations of all time, the Accellion breach has clearly proven how hundreds of giant organizations can be brought to their knees by tapping into a single vendor.

The extent of the damage caused by these two mega-breaches has rocked the world of cybersecurity. In addition to their lasting impact on the organizations and individuals involved, these breaches have proven how beneficial supply chain attacks from an attack vector can be to cybercriminals, making them a more threat. important.

So take the necessary precautions now and make sure your organization does not join the casualty list when another major vendor is breached in the times to come.

Are you aware of cybercrime? Take our quiz to find out

We’ll even give you your very own cybersecurity awareness badge!

The SolarWinds & Accellion Breaches: Supply Chain Attacks Wreaking Havoc post appeared first on Kratikal Blogs.

*** This is a syndicated Security Bloggers Network blog from Kratikal Blogs written by Dhwani Meharchandani. Read the original post at: https://www.kratikal.com/blog/solarwinds-accellion-breaches-supply-chain-attacks-wreaking-havoc/


Source link

Share.

About Author

Comments are closed.