Home Blog Updated details about the SolarWinds 'Sunburst' cyber attack Updated details about the SolarWinds ‘Sunburst’ cyber attack BlueVoyant Share: Facebook Twitter LinkedIn By Milan Patel In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst,” which was known to have impacted companies such as FireEye and SolarWinds as well as a number of U.S. government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titled “Detecting Abuse of Authentication Mechanisms,” the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage U.S. Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack U.S. establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent U.S. Government advisories U.S. Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
BlueVoyant Share: Facebook Twitter LinkedIn By Milan Patel In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst,” which was known to have impacted companies such as FireEye and SolarWinds as well as a number of U.S. government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titled “Detecting Abuse of Authentication Mechanisms,” the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage U.S. Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack U.S. establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent U.S. Government advisories U.S. Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
