Cybercrime has exploded to levels never before seen. At least partially affected by the global COVID-19 pandemic, it is not surprising that high-profile cyber attacks have occurred. Surprisingly, we have two in a relatively short period of time, which is exactly what happened.
Between December 2020 and March 2021, hackers launched attacks that destroyed the data of thousands of companies and government agencies. These attacks come from different vectors, one called SolarWinds attack, because it exploits vulnerabilities in the system used by the company SolarWinds. The other is a violation caused by Microsoft Exchange Server.
These attacks are not related, but they make people feel vulnerable and wonder whether their business has the protection they need.
What happened to SolarWinds?
Solar wind It is a company based in the United States that specializes in creating software that can help manage IT systems and remote monitoring software. They also provide hosting service provider business as part of their products.
What happened during the SolarWinds attack was that hackers managed to inject malware into their software update process. This means that when their remote monitoring and management (RMM) system applies updates to the various systems installed in it, it also installs malware that allows hackers to access certain parts of the system.
By the time the attack was discovered in December 2020, more than 425 Forbes 500 companies and government agencies such as the Centers for Disease Control (CDC) and the National Security Agency (NSA) had been attacked.
What is an attack?
In this attack, cybercriminals compromised the trusted software that SolarWinds uses to help provide services to its customers. The program is called Orion and is part of the SolarWinds toolkit, which allows them to remotely monitor their customers’ systems and manage updated applications.
Hackers took advantage of a zero-day vulnerability (unfixed security vulnerability) inside Orion, allowing them to install a Trojan horse (a file that looks good but can actually allow cybercriminals to enter your system) in order to damage the system monitored by Orion. The vulnerability was first reported in October 2019 and patched in January 2020, but it has not been repaired long enough to make it threatened.
What about Microsoft hackers?
In March 2021, while the security community was still talking about what happened to SolarWinds, Microsoft announced that they had also encountered a system vulnerability. This time, more than 30,000 organizations were compromised by hackers who exploited Microsoft Exchange Server vulnerabilities. The victims of the attack included small businesses, local governments, banks, non-profit organizations, etc.
What is an attack?
In this attack, hackers exploited four newly discovered zero-day vulnerabilities in Microsoft Exchange Server. These vulnerabilities allow them to use the software to steal the organization’s e-mail communications, thereby potentially gaining access to the system.
Once the system is compromised, a Web Shell will be left, allowing hackers to log in to the system again from any Web browser. After the attack was discovered, these shells were found on thousands of networks.
What does this mean to you?
If there is good news about the SolarWinds hack, it is that this is a very complex attack that focuses more on high-profile targets such as the US government. As with other incidents, hackers will quickly stop controlling and make demands, while attackers spend time and wait patiently to obtain the required access rights. SolarWinds is used as a bootloader because it provides access to those clients.
It is also worth noting here that although SolarWinds does have an MSP department, this is not part of the attack. Their MSP is a separate business entity separate from SolarWinds. And, more specifically, the attacks were only targeted at people using Orion.
Attacked by Microsoft, if you do not use Microsoft Exchange Server, it will be very safe. However, unlike SolarWinds, the pace of this attack is not so slow, nor is it a specific target. Hackers enter the system as soon as possible and make sure to open the back door once they leave. The different methods are partly the reason why the system vulnerabilities caused by the Microsoft attacks are much larger than the SolarWinds attacks.
What are the lessons of these attacks?
Both SolarWinds and Microsoft attacks carry an important main lesson-updating software is essential to maintaining business security. In each case, these attacks may occur due to vulnerabilities found in the system. In each case, a patch was issued to solve this problem, even if the SolarWinds vulnerability was not fixed for three months.
If you don’t have a system that can be applied immediately after the patch is released, then your business is vulnerable to hacker attacks. Even if you have many instances where you need to apply patches, you need to apply them quickly.
In addition, you also need to perform network monitoring. In Microsoft and SolarWinds attacks, vulnerabilities have been discovered for months or even years. During this period, hackers may be able to use the corresponding software product to access any system. With a powerful network monitoring program, companies are still at risk, but any suspicious activity on the network can be discovered immediately after it occurs. In the case of SolarWinds, the attackers have been moving these systems silently for months without being noticed.
Finally, once cybercriminals enter your system, access restrictions can have a huge impact on what happens. Access control is often used to ensure that no one in the company can use parts of the network that are not directly related to their work. This means that someone in the mail room cannot log in to the system that controls the security camera, or the butler cannot access the part of the network that contains all the business intelligence reports.
When hackers do enter your system, their access is severely restricted. It helps reduce damage to the system and makes it easier to repair problems that have occurred.
What measures can you take to prevent such attacks?
Sometimes, you cannot take any measures to stop these attacks. Cybercriminals are becoming more and more sophisticated in the types of attacks they carry out and the execution methods they employ.
However, you can do your best to protect the network and mitigate the impact of successful attacks. The best thing you can do is to work closely with a managed security service provider (MSSP).
MSSP provides your company with an outsourcing team composed of security experts who will work hard to protect you and your team from attacks.
The services they provide include:
- 24/7 network monitoring – Someone is always monitoring your network for suspicious activity. This includes things like ensuring that only authorized programs are running, unauthorized code is not executed (such as code to install Trojan horses), and that there is no direct attack on your business. Once a similar situation is discovered, the MSSP can begin to isolate the incident and correct the problem.
- Update management – In order to always ensure the highest level of security, your system needs to be as up-to-date as possible. This can be difficult because patches can be released at any time, and if you are busy, it is easy to miss a patch. MSSP controls this problem by managing updates and installing patches when they appear.
- Access control – Ensure that people have access to the parts of the system needed to complete the work, thereby limiting the damage caused during a cyber attack. MSSP can establish access control within your enterprise to ensure that no one is locked in a critical part of its work, while ensuring that hackers do not go too far after entering.
- Disaster recovery- If something does happen and your system is compromised, a robust disaster recovery plan may help minimize the impact on the business. Disaster recovery allows you to restore the system to the state before the damage in a way that reduces downtime, so that you can resume work faster.