Home Blog Updated details about the SolarWinds "Sunburst" cyber attack Updated details about the SolarWinds “Sunburst” cyber attack BlueVoyant Share: Facebook Twitter LinkedIn In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst”, which was known to have impacted companies such as FireEye and SolarWinds as well as a number of US government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency (NSA) of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titledDetecting Abuse of Authentication Mechanisms, the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage US Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack US establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent US Government advisories US Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) About the author: Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
BlueVoyant Share: Facebook Twitter LinkedIn In our previous blog post we provided an initial overview of what had happened with the global cyber attack named “Sunburst”, which was known to have impacted companies such as FireEye and SolarWinds as well as a number of US government agencies. Since then, details have continued to emerge around both how the attack was executed as well as which companies and government entities were impacted. To no one’s surprise (but to everyone’s alarm), the blast radius of this attack is quite large. Experience tells us that the attack is not over and organizations need to take a number of steps to stay on top of the situation. As the methods used in the attack become more clear, many public and private organizations have started to provide specific guidance on how to detect, isolate and ultimately eliminate the malware used in the Sunburst attack from your networks. Our previous post provided the initial triage steps you should take as provided by our team of security experts, as well as those from FireEye and our partner Microsoft. The National Security Agency (NSA) of the United States has just published additional guidance for the technology practitioner community about dealing with the attack. In their Cybersecurity Advisory titledDetecting Abuse of Authentication Mechanisms, the NSA provides details about how cyber attackers “…are abusing trust in federated authentication environments to access protected data.” The advisory then pivots to a number of detailed activities that can be carried out using security tools from Microsoft. One of the foundational pillars of Microsoft’s approach to providing effective security across the identity/device/data layers of your technology estate is by implementing an architecture based on the concept of Zero Trust. The first step in implementing this architecture is to deploy conditional access across your infrastructure and applications. If you have not already done so, we strongly recommend that you deploy multi-factor authentication (MFA) technology across your entire technology footprint as soon as possible. To do this, we would advise you to enable Microsoft’s Azure Multi-Factor Authentication as a key step in preventing identity-based breaches. Doing so will help to defeat attacks designed to corrupt or hijack SAML tokens. BlueVoyant will continue to publish updates and guidance on our customer portal, blog and/or social media channels, as appropriate. We’re also standing by to help provide you with any assistance you may need in navigating this difficult situation, so please reach out to us at [email protected] whenever you are ready. Media & industry coverage US Department of Energy confirms it was hit by Sunburst hack Microsoft says it identified 40+ victims of the SolarWinds hack US establishes Cyber Unified Coordination Group to respond to SolarWinds compromise Recent US Government advisories US Cybersecurity & Infrastructure Agency (CISA): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. NSA: “Detecting Abuse of Authentication Mechanisms” Joint statement from the FBI, CISA and the Office of the Director of National Intelligence (ODNI) About the author: Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes. Share: Facebook Twitter LinkedIn Related reading Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
Blog Understanding the frailty of the software supply chain In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain… Read more
Blog Five Steps to Protect Your Supply Chain: A Board-Level Perspective Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach… Read more
Blog The Supply Chain is Part of Your Organization’s Security Posture SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who… Read more
