Updated Details About the SolarWinds 'Sunburst' Cyber Attack

By Milan Patel

In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst," which was known to have impacted companies such as FireEye and SolarWinds as well as a number of U.S. government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation.

As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft.

The National Security Agency of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titled "Detecting Abuse of Authentication Mechanisms," the NSA provides details about how cyber attackers “...are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft.

One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens.

BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready.

Media & Industry Coverage

U.S. Department of Energy confirms it was hit by Sunburst hack

Microsoft says it identified 40+ victims of the SolarWinds hack

U.S. establishes Cyber Unified Coordination Group to respond to SolarWinds compromise

Recent U.S. Government Advisories

U.S. Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.

NSA: “Detecting Abuse of Authentication Mechanisms”

Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI)

Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes.