Page 33 - Cyber Defense eMagazine forJune 2021
P. 33
Exploiting Vulnerabilities
Back in September 2020, two of our customers reported a strange issue. Their employees started to get
authentication requests on their phones for access to the company VPN. They reported this to their IT
departments who then alerted us to the specific issue. Working with their IT departments to figure out
what was happening, we initially thought that it was just a software bug. However, after further analysis
of their logs, we identified that the access attempts were actually coming from Russian IP addresses.
It seemed that the hackers got a hold of the usernames and passwords and were attempting to login to
the company network. What was so strange about this situation is that our customers had state-of-the art
intrusion detection systems that never caught the attack.
Connection to the SolarWinds Attack
Perplexed by this situation, we asked some colleagues in the security community and they said that a
few companies had experienced similar attacks. At the time we didn't think anything of it, and then in
December 2020 the SolarWinds supply chain attack happened.
FireEye detailed the SolarWinds attack in a blog and attributed it to a Russian hacking group. Soon after,
Volexity connected the attack to multiple incidents in late 2019 and 2020, also attributing them to a
Russian hacking group. What was interesting was that Volexity claimed the hackers bypassed the Multi
Factor Authentication (MFA) from Duo Security (now a part of Cisco) by getting the Duo integration secret
key and thereby was able to generate a cookie that bypassed the MFA. Unfortunately, neither Duo’s
system nor the myriad security systems were able to detect and prevent this.
These attacks were eerily similar to the ones our customers experienced back in September, and in a
few different ways. In both scenarios, the attacks were perpetrated by a sophisticated Russian hacking
group (possibly the same group) that had the correct usernames and passwords. Additionally, in both
attacks there was a MFA system in place which was intended to provide additional security.
Best Practices to Protect Against Future Breaches
While the spotlight has been on the way the hackers got in by compromising the update process using a
stolen code signing certificate, the real takeaway from SolarWinds should be that hackers will always
find a way to get in and businesses should focus on trying to prevent the hackers from doing damage
once they are inside the network.
The U.S. government has now begun making moves to strengthen its own cybersecurity measures,
requiring the use of multifactor authentication and data encryption for federal agencies, and
comprehensive vendor disclosure of any security issues, vulnerabilities or breaches to their users.
Moving forward, businesses large and small should be thinking the same way and look to revamp their
security infrastructures and ensure networks are secure and impenetrable. Enterprises must look to
implement technologies that offer multi-layered protection that proactively encrypts keystrokes and
prevents unwanted screenshots or audio captures. Constantly updating software is also important, as
cyber criminals will always look for new ways to exploit bugs and vulnerabilities in outdated systems.
Cyber Defense eMagazine – June 2021 Edition 33
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
