By, George Waller, CEO of Strikeforce Technologies
A full year of disruption by the global pandemic has forced businesses to adapt fast to the shifting remote work realities. This new dynamic, which has employees using their own computers and accessing company networks everywhere but the office, has created new headaches and threat vectors for security and IT professionals.
There’s been a massive increase in global cyber attacks aimed at governments and corporations since the very first days of COVID-19. By now, most are familiar with the high profile SolarWinds case, a global intrusion campaign that one Microsoft executive called ‘one of the most widespread and complex events in cybersecurity history.’ The damage caused by the attack was felt by large enterprises and by the highest echelons of government alike, demonstrating the ease with which seemingly secure software systems can be hacked.
Keeping internal systems secure while ensuring sensitive data and personal information isn’t breached has become a key problem that SMBs and larger enterprises are looking to solve. The current business landscape has created a perfect environment for cybercriminals to flourish, and we are now seeing hackers and nation-state actors able to conduct much more sophisticated attacks.
As the work-from-home trend continues, the SolarWinds attack serves as a lesson for businesses, who should be looking to implement the right types of resources for building secure networks and work environments that can foster safe communication and collaboration.
Exploiting Vulnerabilities
Back in September 2020, two of our customers reported a strange issue. Their employees started to get authentication requests on their phones for access to the company VPN. They reported this to their IT departments who then alerted us to the specific issue. Working with their IT departments to figure out what was happening, we initially thought that it was just a software bug. However, after further analysis of their logs, we identified that the access attempts were actually coming from Russian IP addresses.
It seemed that the hackers got a hold of the usernames and passwords and were attempting to login to the company network. What was so strange about this situation is that our customers had state-of-the art intrusion detection systems that never caught the attack.
Connection to the SolarWinds Attack
Perplexed by this situation, we asked some colleagues in the security community and they said that a few companies had experienced similar attacks. At the time we didn’t think anything of it, and then in December 2020 the SolarWinds supply chain attack happened.
FireEye detailed the SolarWinds attack in a blog and attributed it to a Russian hacking group. Soon after, Volexity connected the attack to multiple incidents in late 2019 and 2020, also attributing them to a Russian hacking group. What was interesting was that Volexity claimed the hackers bypassed the Multi Factor Authentication (MFA) from Duo Security (now a part of Cisco) by getting the Duo integration secret key and thereby was able to generate a cookie that bypassed the MFA. Unfortunately, neither Duo’s system nor the myriad security systems were able to detect and prevent this.
These attacks were eerily similar to the ones our customers experienced back in September, and in a few different ways. In both scenarios, the attacks were perpetrated by a sophisticated Russian hacking group (possibly the same group) that had the correct usernames and passwords. Additionally, in both attacks there was a MFA system in place which was intended to provide additional security.
Best Practices to Protect Against Future Breaches
While the spotlight has been on the way the hackers got in by compromising the update process using a stolen code signing certificate, the real takeaway from SolarWinds should be that hackers will always find a way to get in and businesses should focus on trying to prevent the hackers from doing damage once they are inside the network.
The U.S. government has now begun making moves to strengthen its own cybersecurity measures, requiring the use of multifactor authentication and data encryption for federal agencies, and comprehensive vendor disclosure of any security issues, vulnerabilities or breaches to their users.
Moving forward, businesses large and small should be thinking the same way and look to revamp their security infrastructures and ensure networks are secure and impenetrable. Enterprises must look to implement technologies that offer multi-layered protection that proactively encrypts keystrokes and prevents unwanted screenshots or audio captures. Constantly updating software is also important, as cyber criminals will always look for new ways to exploit bugs and vulnerabilities in outdated systems.
In an increasingly insecure world where hackers are constantly looking to prey on a company’s security weaknesses, businesses must be agile and use every means necessary to protect themselves and their employees from the next inevitable global breach.
About the Author
George Waller, CEO of StrikeForce Technologies, is an entrepreneur and technologist with over two decades in the cybersecurity and computer industries. He played a pivotal role in introducing two leading cybersecurity technologies: out-of-band authentication and keystroke encryption to the marketplace. Today, these technologies are used in banking, health care, education, manufacturing and government sectors. For more information, please visit www.strikeforcetech.com.