In a year where cybercrime jumped to unprecedented levels that were at least partly influenced by the global COVID-19 pandemic, it shouldn’t be surprising that a high-profile cyberattack occurred. What is a little surprising is that we had two within a relatively short period of time, which is exactly what happened.
Between December 2020 and March 2021 hackers launched attacks that compromised the data of tens of thousands of businesses and government agencies. The attacks came through different vectors, one was called the SolarWinds attack, because it exploited a hole in the system used by the company, SolarWinds. The other was a breach that came through Microsoft Exchange Server.
The attacks weren’t related, but they left people feeling vulnerable and wondering whether their business has the protection it needs.
Table of Contents
What happened at SolarWinds?
SolarWinds is a US-based company that specializes in creating software to help manage IT systems, as well as remote monitoring software. They also have a managed service provider business as part of their offerings.
What happened during the SolarWinds attack is that hackers managed to inject malware into their software update process. This meant that when their Remote Monitoring and Management (RMM) system went to apply updates to the various systems it was installed in, it also installed malware the allowed hackers to access some parts of the system.
By the time the attack was noticed in December of 2020, upwards of 425 of the Forbes 500 had been compromised, as well as government agencies such as the Centers for Disease Control (CDC) and the National Security Agency (NSA).
What was the attack?
In this attack, cybercriminals compromised a trusted piece of software SolarWinds used to help serve their customers. The program, known as Orion, was a part of the SolarWinds toolkit that allowed them to remotely monitor the systems of their customers and manage how updates were applied.
Hackers exploited a zero-day vulnerability (a security flaw that hasn’t been fixed) within Orion that allowed them to install a Trojan horse (a file that looks fine but actually lets cybercriminals into your system) to compromise the systems that Orion monitored. The vulnerability was first reported in October 2019 and patched in January 2020, but it remained unfixed long enough to be compromised.
What about the Microsoft hack?
In March of 2021, as the security community was still talking about what happened with SolarWinds, Microsoft announced that they, too, had experienced a breach in their system. This time upwards of 30,000 organizations were compromised by hackers who were exploiting a flaw in Microsoft Exchange Server. Victims of the attack included small businesses, local governments, banks, non-profits, and more.
What was the attack?
In this attack, hackers took advantage of four newly discovered zero-day vulnerabilities that were located within Microsoft Exchange Server. These exploits allowed them to siphon email communications from organizations using the software and made it possible to gain access to the systems.
Once the systems were breached, a web shell was left behind that allowed hackers to log in to the system again from any web browser. These shells were found on thousands of networks after the attack had been discovered.
What does this mean for you?
If there is good news with regards to the SolarWinds hack, it’s that this was a very sophisticated attack that was focused more on high-profile targets like the US government. Unlike other incidents where hackers very quickly cease control and made demands, the attackers took their time and waited patiently to gain the access they needed. SolarWinds was used as a vector because it provided access to those clients.
It’s also worth noting here that, while SolarWinds does have an MSP division, it wasn’t a part of the attack. Their MSP is a separate business entity from SolarWinds. And, more specifically, the attack only targeted people using Orion.
With the Microsoft attack, if you weren’t using Microsoft Exchange Server, you were safe. But, unlike SolarWinds, this attack wasn’t nearly as slow-moving or specific about who was targeted. Hackers got into the system as soon as they could and made sure to leave the backdoor open once they left. The differing approaches are partly why the Microsoft attack resulted in considerably more compromised systems than the SolarWinds attacks.
What are the lessons from these attacks?
Both the SolarWinds and the Microsoft attacks come with one big, main lesson – updating your software is critical to maintaining the safety of your business. In each case, these attacks were possible because of exploits that had been found within the system. In each instance, patches were issued that fixed the problem, even if the SolarWinds exploit wasn’t fixed for three months.
If you don’t have a system in place that allows you to apply patches as soon as they’re released, you leave your business open to attacks from hackers. Even if you have a large number of instances where the patches need to be applied, there is a need to get them applied fast.
Along with that, you need to have network monitoring in place. In both the Microsoft and SolarWinds attacks, the vulnerabilities had been undiscovered for months, or years. During that time, hackers could have been able to access any system using the respective software products. With a robust network monitoring program in place, businesses would have still been at risk, but any suspicious activity on the network could have been spotted as soon as it occurred. In the case of SolarWinds, the attackers had been quietly moving about the systems for months without detection.
Finally, access restriction can have a huge impact on what happens once a cybercriminal gets into your system. Access controls are often used as a way to ensure that no one in the company can use a part of the network that isn’t directly related to their jobs. This means that someone in the mailroom can’t log into the system that controls the security cameras or the janitorial staff can’t access the parts of your network that contains all your business intelligence reports.
When a hacker does get into your system, their access is severely limited. It helps reduce the amount of damage that happens to your system and makes it easier to fix any problems that have happened.
What can you do to prevent attacks like these?
Sometimes, there isn’t much that you can do to prevent these attacks. Cybercriminals are getting increasingly sophisticated both in the kinds of attacks they do and the methods they use to execute them.
However, you can do your best to both protect your network and mitigate the impact of a successful attack. The best thing you can do is work closely with a managed security services provider (MSSP).
MSSPs provide your business with an outsourced team of security experts who work hard to keep you and your team safe from attack.
The services they provide include:
- 24/7 network monitoring – Someone is always watching your network for suspicious activity. This includes things like making sure only authorized programs are running, that no unauthorized code is being executed (like the code that installs a Trojan Horse), and that there are no direct attacks on your business. As soon as something like this is spotted, an MSSP gets to work isolating the incident and correcting the problem.
- Update management – To ensure the maximum level of security at all times, your system needs to be as up-to-date as possible. This can be hard because patches can be released at any time and if you’re busy, it’s easy to miss one. MSSPs take control of this by managing updates and installing patches as they come in.
- Access control – Making sure that people have access to the parts of your system that they need to do their job restricts the damage that occurs during a cyberattack. MSSPs can establish access control within your business to make sure no one is locked out of a critical part of their job, while making sure that hackers can’t get far if they get in.
- Disaster recovery – If something does happen and your system is compromised, having a robust disaster recovery plan in place can be the thing that helps minimize the impact on your business. Disaster recovery allows you to restore your systems to the state they were in before you were breached in a way that reduces downtime, so you can get back to work faster.
Want help keeping your business safe?
Managing the security of your business can be a huge challenge when you’re already taking care of the day-to-day. That’s where working with an MSSP, like Kaytuso (our MSSP division), can help.
We can take care of all of your security needs to help keep your business safe, reduce the impact of a cyberattack, and keep you informed of any attempts that have been made on your business.
Want to learn more about how an MSSP can help your business? Contact us today.
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC