Yes. We discussed this quite a bit during my Patreon AMA this week — basically what happened: SolarWinds had a really stupid public update server password (solarwinds123 🙄). This was breached, a back-door was inserted and went live with new SolarWinds Orion downloads.
The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely.
[...]
CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”
[...]
CISA’s analysis suggested the crooks behind the SolarWinds intrusion were heavily focused on impersonating trusted personnel on targeted networks, and that they’d devised clever ways to bypass multi-factor authentication (MFA) systems protecting networks they targeted.
[...]
“If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA warned. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”
The official recommendation is the classic 'nuke from orbit' approach. Damn, that's honestly impressive at this level. I cringe just contemplating the sheer work involved in restoring something...
a full reconstitution of identity and trust services is required
The official recommendation is the classic 'nuke from orbit' approach. Damn, that's honestly impressive at this level. I cringe just contemplating the sheer work involved in restoring something this fundamental. I sure as hell wouldn't waste the opportunity to change up the entire system for something better, though. That's the bonus for having to rebuild from that deep. Odds are everyone has upgrades waiting in the wings anyway, may as well get something better out of the work if you have to do it anyway.
An actor this sophisticated means you couldn't even use the cutover approach safely. If you build the new system and the old systems that are compromised are still right there running alongside it, you're risking exposing yourself to fresh compromise. Physically independent networks if you want to go that way. I'd probably even go so far as to reflash all router and switch firmware and rebuild the firewalls. Then I'd be wondering what a clever org with deep pockets could stash in a network card's bios, just waiting for some hapless tech to press the F12 key during boot.
Tangentially related: Big (and incredibly stupid), if true:
https://twitter.com/Angry_Staffer/status/1340119315572527104
From the article:
[...]
[...]
[...]
The official recommendation is the classic 'nuke from orbit' approach. Damn, that's honestly impressive at this level. I cringe just contemplating the sheer work involved in restoring something this fundamental. I sure as hell wouldn't waste the opportunity to change up the entire system for something better, though. That's the bonus for having to rebuild from that deep. Odds are everyone has upgrades waiting in the wings anyway, may as well get something better out of the work if you have to do it anyway.
An actor this sophisticated means you couldn't even use the cutover approach safely. If you build the new system and the old systems that are compromised are still right there running alongside it, you're risking exposing yourself to fresh compromise. Physically independent networks if you want to go that way. I'd probably even go so far as to reflash all router and switch firmware and rebuild the firewalls. Then I'd be wondering what a clever org with deep pockets could stash in a network card's bios, just waiting for some hapless tech to press the F12 key during boot.