fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

The SolarWinds Breach

The SolarWinds Breach

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

Overview

“One of the most high-profile cyberespionage campaigns in recent years.” “Among the most ambitious cyber operations ever disclosed.” “A moment of reckoning.” These are some of the descriptors applied to the SolarWinds breach, which the global cybersecurity community has been intently monitoring since it was first reported in mid-December 2020. This issue of CyberSense takes a closer look at what happened, how global agencies and CSA responded to the incident, and a few observations and learning points we picked up.

What Happened?

In the world of network management software, one name stands head and shoulders above the competition: SolarWinds’ Orion platform. Used by numerous government agencies and Fortune 500 companies worldwide, it is the pre-eminent product in the network management space. However, it was precisely this market dominance that led hackers to target the Texan firm. Sometime in 2019, hackers managed to infiltrate SolarWinds’ production network to insert malicious code into Orion’s software updates. Any organisation that downloaded the tainted updates effectively gave the hackers a backdoor into its network.

Production network

The hackers’ approach and behaviour stood out in this incident. Analysis of their tactics, techniques and procedures showed that the hackers were patient, disciplined, and prioritised stealth to minimise exposure of their operations. Once inside a victim’s network, the hackers blended in, and looked for opportunities to escalate privileges (or gain privileged access) and abuse authentication mechanisms. They were observed to have forged trusted tokens. These tokens, akin to a security pass belonging to someone in the target organisation with high-level clearance, could grant the hackers access to restricted sections of the target organisation’s network as well as its assets in the cloud, such as e-mails. The hackers could also plant more backdoors in other parts of the breached network.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

Around 18,000 of SolarWinds’ public and private sector customers around the world downloaded – and were hence exposed to – the malicious software updates. Of these, experts believe that the hackers targeted a much smaller number of organisations with follow-on activity. The vast majority of this smaller group were US-based entities – US government agencies and tech companies, including the likes of Cisco, VMWare, and Microsoft.

What Makes the SolarWinds Breach So Serious, and What Can We Learn From It?

The SolarWinds breach is an example of a supply chain attack, in which the hacker’s intrusion into the victim’s network is facilitated by first compromising one of the victim’s trusted suppliers.

Supply Chain Attack

Supply chain attacks can generate wide “ripple effects”, due to the interdependencies that characterise the global economy. Organisations today often depend on external vendors such as tech firms and managed service providers. The compromise of a single, trusted supplier – or a popular and widely-used product – can result in multiple victims, some of which could be major vendors themselves with even larger customer bases. Such was the case in the SolarWinds breach. Cybersecurity agencies and researchers are still watching for signs of further breaches in the affected tech firms, which could have an even greater impact than the SolarWinds attack.

More insidious and problematic than compromising the SolarWinds supply chain was the hackers’ abuse of authentication mechanisms, which are a trusted part of a victim’s internal network. Their forging of authentication tokens allowed the hackers to roam the targeted network practically at will, as if they were one of the target organisation’s trusted employees. This makes detecting the hackers’ presence and tracing their steps within the network extremely difficult.

What are the key takeaways from this incident? First, it is likely that supply-chain attacks will continue to occur. Organisations should therefore make every effort to improve visibility over the activities and transactions happening inside their networks, especially if they rely on the services of vendors or third-party suppliers. The earlier they can detect breaches, the better their chances of mitigating the fallout in a timely manner.

Second, the SolarWinds breach demonstrates the asymmetric nature of the cybersecurity threat. Hackers can compromise a host of networks by exploiting just one vulnerability in a single supplier, while cybersecurity professionals need to constantly defend across all the systems under their charge, all the time. The odds are steep. Cyber-attacks are a matter of when, not if. Organisations must therefore continue to enhance and develop their cybersecurity capabilities and expertise.

Privacy Ninja can help your company find security vulnerabilities before the bad guys do. Learn how.

Third, the SolarWinds breach also highlights the importance of the international community’s efforts in establishing clear rules and norms to promote responsible behaviour in cyberspace. Without them, cyber threat actors will feel free to act with impunity, endangering the prospects of connected nations and digital economies everywhere.

How Have Agencies Responded Globally?

The interconnected nature of our global networks and supply chains means that many countries are potentially at risk from the fallout of the SolarWinds breach. Cybersecurity agencies around the world have issued advisories providing organisations with guidance to detect and mitigate any potential compromise. The global cybersecurity community have also shared insights and observations on the incident, including characteristics of the malware used to compromise SolarWinds, and methods of detecting and neutralising it.

So far, no government has definitively attributed the SolarWinds breach to any specific threat actor. The US government’s assessment, as set out in a joint statement by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Office of the Director of National Intelligence, and the National Security Agency, is that an Advanced Persistent Threat actor, “likely Russian in origin”, is responsible for the cyber-attack. Russia denied any involvement in the cyber-attack on SolarWinds, and claimed that the accusations were more evidence of Russophobia.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

There is no indication thus far that Singapore’s Critical Information Infrastructure (CII) and Government systems have been adversely affected by the SolarWinds breach. Nonetheless, the risk remains that somewhere along the supply chains of those tech firms that have been targeted, the hackers might have planted additional backdoors in preparation for future attacks. A real fear is that the hackers may have also penetrated the production networks of these tech firms and suppliers to corrupt their products, potentially putting millions of users at risk.

Once the SolarWinds breach was disclosed, CSA immediately raised the alert level and apprised all CII sector leads of the situation. Besides directing agencies to install the necessary patches and carry out thorough scans for indicators of compromise, CSA has also been working with sectors to step up vigilance and daily monitoring, even as the situation continues to evolve and new vulnerabilities are revealed. This involves CII sectors going through their logs over the past months with a fine comb for any indication of suspicious activity, such as unauthorised escalation of privileges and credentials abuse. In addition, CSA also advised the public on steps to better protect their systems against such threats. Most important of these are having full visibility of their networks, and implementing a regime of continuous monitoring for any unusual activity in the networks.

Mindful that cybersecurity is a team sport, CSA has tapped on our international partners closer to the frontline to learn more about the SolarWinds breach. This has helped CSA to better advise CII sectors on the preventive measures to take. CSA also organised virtual meetings with all ASEAN Member States to exchange insights and best practices arising from the incident, so that the region is better prepared against the potential threat that it poses. The proposal to establish an ASEAN CERT information exchange mechanism, welcomed by ASEAN Digital Ministers, will further contribute to regional cyber resilience in the face of transboundary cybersecurity threats.

Conclusion

The SolarWinds breach will not be the last major cybersecurity incident we face. The capabilities of cyber threat actors will only increase. CSA remains dedicated to the mission of securing cyberspace and protecting our digital way of life. Organisations, big or small, need to steel themselves for the inevitability of future malicious cyber activities and make efforts to strengthen the cybersecurity of their systems.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us