While many of us take an opportunity to relax around the holidays, cyber criminals refuse to take vacation and instead ramp up their onslaught of attacks. The latest breach dominating the headlines involves a massive compromise that involved using a backdoor in the SolarWinds Orion monitoring tool to hack hundreds (and counting) of corporate systems, as well as six federal agencies, including the Department of Homeland Security.
The following Q&As provide an overview of how a backdoor was used to accomplish the attacker's mission, the damage that can result from these attacks, and steps to take in order to help avoid the same outcome for your business.
In the world of computing, what is a backdoor?
A backdoor refers to any alternative process that allows users to covertly circumnavigate normal security protocols to gain privileged user access to an application, computer, or network.
Why would a vendor provide a backdoor feature in their hardware or software?
Backdoors are occasionally implemented by hardware or software vendors to provide an alternative means of gaining access to their technology for authorized users. Reasons for creating a backdoor include a means for troubleshooting issues or to provide access to customers who have become locked out of a hardware or software product. When used in this manner, a backdoor can be a very convenient and beneficial feature.
Can cyber criminals leverage these backdoors for malicious purposes?
Just like any well-intentioned tool or feature, chances are that cyber criminals will attempt to corrupt it for their nefarious purposes. An attacker may commandeer a legitimate backdoor or use malware to surreptitiously implement a new backdoor into a piece of hardware or software so that they can bypass security and avoid their activity from being detected.
What can an attacker do once they establish a backdoor?
Once they have implemented a backdoor, attackers can use it for malicious purposes, including theft of sensitive data, deployment of ransomware, execution of cryptojacking (illicit cryptocurrency mining), or manipulation of hardware or software functionality. Since backdoors can be difficult to detect, attackers can remain hidden for a significant amount of time.
What role did a backdoor play in the recently reported massive compromise that involved hundreds of corporate systems (and counting), as well as six federal agencies, including the Department of Homeland Security?
While the investigation is underway and details are still being pieced together, experts agree that criminals established at least one unauthorized backdoor in SolarWinds Orion, a popular network monitoring tool used by thousands of businesses. This backdoor allowed unauthorized access for several months, although it is uncertain what exactly the criminals did with this access, or whether they still possess access to the compromised systems. Adding to the high level of concern, a second backdoor was discovered during the investigation, possibly established by a separate threat actor.
What can my company do to avoid these types of attacks?
Follow vendor guidance on applying the latest patches to your software (including antivirus software), hardware, and operating systems. Unpatched systems can result in vulnerabilities that can be leveraged by attackers.
Monitor your network to identify and investigate any anomalous activity that could be indicative of unauthorized users within your environment.
Conduct a cybersecurity risk assessment and periodic network vulnerability scans and penetration testing to identify any potential weaknesses in your technological defenses.
Avoid installing any software, plugins, or patches before they are properly vetted by your IT department or consultant.
If you utilize SolarWinds, contact their technical support team to receive guidance on patching and updating the software.
If your network is monitored by a third-party service provider that utilizes SolarWinds, contact them to ensure that they are investigating any chance of a downstream compromise.
Citrin Cooperman can provide the resources you need to defend against cybersecurity threats. Contact Kevin Ricci for more information on how we can help keep your business safe and secure.