172. SolarWinds of Change
Here are a few highlights from each article we discussed:
- The SEC is charging SolarWinds and their Chief Information Security Officer with misleading investors on its cybersecurity practices and known risks
- SolarWinds is back in the news again! And we’ve talked about it a few times on the podcast before:
- Episode 71 – Throwing Caution to the SolarWinds
- Episode 82 – SolarWinds and Losses
- Episode 155 – Sunburst Your Bubble
- We also mentioned on the show a great article about this attack by Kim Zetter from Wired we want to share with you all if you haven’t already seen it
- But let’s set the stage a little for those who might not be in the know:
- This incident, which came to light in December of 2020, was what you could think of as the case that put the concept of the supply chain attack into the general awareness. What was discovered at that time was that SolarWinds’ flagship product, called Orion, had a compromise in it that made users of this software—which is a very popular infrastructure monitoring and management platform—vulnerable to incursions by external parties
- Customers didn’t realize this, since the backdoor was embedded in software that they trusted—in other words, scanning for unexpected binaries on the network wouldn’t turn up anything unusual. So you had thousands of organizations, many of them quite large, that had been infiltrated as a result of this. So it was and is a big deal—it’s certain that we still haven’t seen the full scope of the effects
- In this press release from the SEC, it depicts CISO Tim Brown as someone who did state that their remote access set-up was “not very secure.”
- It’s not illegal to have security issues, of course, but it’s illegal to say that you don’t, when you do. The charge here is that Brown had information from within his security team that there were quite serious exposures that rendered the company (and therefore potentially its customers) vulnerable—and he didn’t act with sufficient urgency on these issues, and that he willfully understated them in order to avoid reputational harm—and therefore commercial risk
- As a public company, SolarWinds is required to assess and report on risks to the business in filings with the SEC, and they’re making a decent case here that he omitted material facts in these filings
- Would Tim Brown be implicated had he made the risks more known?
- That’s hard to say, but odds are that he would be in a lot less hot water now if he’d been forthcoming about the issues. And something that strikes me here is that we’re living in a time, and this was true in 2020 although probably even more so now, when it’s not as damning as it used to be to have a vulnerability, even a serious one. Many, maybe even most, of the biggest players in networking and infosec have disclosed some serious vulnerabilities – remember the huge deal with Barracuda recommending uninstalling all their appliances that we talked about a couple of months back?
- As the industry has matured, people have come to understand that it’s not realistic to expect a company to be free of vulnerabilities. What they do expect, though, is that they’ll be forthcoming about them and transparent about their efforts to resolve them. It’s hard to say from a hypothetical perspective, but Tim thinks if he’d been more honest and about what he knew prior to the SUNBURST incident, things would be going better for him and for SolarWinds. It’s conceivable that they might have been able to prevent the issue, but even if they hadn’t, there wouldn’t be the insult added to the injury here
- Do we know the scope of what it would have taken to correct their security insufficiencies prior to this attack?
- Not entirely—and it’s OK that they didn’t disclose *exactly* what they knew was wrong at the time, since that would have made it even easier for adversaries to exploit them. Now, Tim thinks it is important to acknowledge that there’s not an absolute blueprint for how much to disclose. The SEC says that what SolarWinds disclosed in its 8K filings was merely in the realm of “generic and hypothetical” risks rather than what they actually knew about. he’s read many of those filings on various companies over the years and it’s pretty common to state risks as hypotheticals because you can’t necessarily predict all the things that could hit you
- Tim’s sure that’s going to be part of their defense here—if every company disclosed exactly what its security issues were, it would be a feeding frenzy and the public (read: investors) would lose confidence in all of these companies (not just in the security or IT sectors but every company that could lose value in the event of a significant breach). It’s much like with charges of criminal negligence – you’re not expected to be perfect, but you are expected to be honest and to practice due diligence. But anyway, no, we don’t know all the details about how they could have prevented this compromise
- How has this attack changed the landscape of cybersecurity?
- As Tim mentioned before, there’s an assumption today that everyone has vulnerabilities, some of them severe, and there’s a certain amount of built-in forgiveness of that. Tim thinks there’s more of that today, and in part because of this case, than there was even in 2020. It’s a matter of degree, not of category, and he does think that this case increased that understanding. So, ironically, while they may have helped generate a climate of more tolerance and grace for imperfections, this charge by the SEC undermines that exact thing
- Mandiant identified a zero-day exploitation of CVE-2023-4966 impacting NetScaler ADC and NetScaler Gateway appliances
- What exactly is NetScaler ADC and NetScaler Gateway?
- Formerly known as Citrix access gateways
- NetScaler ADC is a networking appliance – it’s a web application firewall
- The NetScaler Gateway is a VPN
- These are two prominently situated appliances in someone’s networking stack
- Formerly known as Citrix access gateways
- With this particular exploitation, what was the challenge in investigation?
- To really go back to the beginning, we have to go back to the summer to a prior zero day
- Attackers were able to do similar things to now, but it starts over the summer
- Citrix folks published a patch and a company called AssetNote decided to reverse engineer the patch to figure out what the vulnerability was specifically to build a proof of concept to see exactly what it was
- In this newer one, it uses OpenID which is a different standard for authentication and helps handle MFA and when you are able to overflow these things, you get root level access which is really bad
- The Mandiant folks took the AssetNote research and on this more recent patch that was put out went hunting for the use of that vulnerability and they found a bunch
- But it’s tricky to discover this thing because it wipes the logs – you have to go hunting in other types of logs, but there’s no smoking gun on this particular vulnerability
- There were two types of logs that were useful
- NetScaler logs and Windows Registry Keys is where they found the oddities
- Mandiant observed post exploitation tactics
- They found a few things – some of it was the standard things you’d expect
- They also started looking for credential dumps
- What about some of the remediation recommendations from Mandiant?
- There is a whole guidance document on this
- Install the patch and go hunting on the various behavioral indicators
- And it’s really tough to do a whole lot more than that at this time
This Week’s Hoodie/Goodie Scale
N-Day But Today
[Taylor]: 7.18/10 Hoodies
[Tim]: 6.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!