It wouldn’t be 2020 without one last rotten cyber surprise, with the potential compromise of multiple Fortune 500 firms and US government agencies, including the Treasury, the State Department, the Pentagon, and the Department of Homeland Security. The breach was traced backed to software vendor SolarWinds, who provide a platform which integrates with servers, network appliances, and other internal systems for centralized monitoring and management of a firm’s IT infrastructure.
Reports from the New York Times, Wired, Reuters allege that a wing of the Russian foreign intelligence service is responsible for the attack, and traces of compromise have been detected dating back to spring 2020. Cyber espionage group “Cozy Bear” are believed to have modified SolarWind’s update mechanism to distribute an altered version of their Orion software to customers, opening a backdoor into the private networks of hundreds of organizations. Once inside, they appear to have pivoted and breached individual servers, allowing them to compromise specific accounts and systems.
That last aspect of the attack is of particular interest. Ars Technica ran a story detailing how the Cozy Bear group have been observed to bypass two-factor authentication in the past, giving some insight into how they’re able to capitalize on a foothold in a target network. To be perfectly clear – this kind of attack requires existing network access. However, once a beachhead has been established, the attacker has access to the internal server which is responsible for authentication.
Two-factor authentication ("2FA") adds an additional layer of protection to any authentication system. There are many vendors who provide 2FA ‘as a service’, integrating their external solution with an organization’s own servers. In order to accomplish this, there must be trust established between the primary servers and the second-factor provider, by way of a uniquely generated, secret passphrase which is shared between the two systems. By extracting that passphrase, the attackers were able to calculate the resultant cookie which would be generated by a successful two-factor challenge. This allows them to turn back round and trick the original server into thinking that the 2FA check had already been completed.
By ‘bypassing’ the two-factor authentication in this way, the control is neutered – and all the attacker needs to access a mailbox, or another type of account, is the username and password to initiate the login. This type of attack is technically sophisticated, and again – is only possible with pre-existing access to the system in question. This kind of 2FA bypass would not be possible from outside the target network.
We can take some key points away from this incident as it unfolds:
These are all crucial points to consider as an asset manager – and valuable conversations to be had from the perspective of a due diligence practitioner. Are tools being correctly configured, with access keys and shared secrets properly protected? Are firewalls and security controls enabled on individual servers and workstations as well as the network edge? Is the attitude “We’re doing x, so everything’s fine” or is it “We’re doing x, and we’re reinforcing that with y and z”?
As we’ve written before – cybersecurity is a dynamic domain, and as in any arms race, bad actors will continue to develop new ways to bypass state-of-the-art controls soon after they’re implemented. Given that no single security tool is infallible, it’s all the more important to employ multiple, parallel controls, and to ensure that new strategies are evaluated and implemented as they become available. The cybersecurity arena is no place to rest on one’s laurels.
1080 Côte du Beaver Hall, Suite 904
Canada, H2Z 1S8
84 Chain Lake Drive, Suite 501
Canada, B3S 1A2
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
Floor No.15 Al Sarab Tower,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
+61 (2) 8823 3370