The Secret IR Insider’s Diary – from Sunburst to DarkSide

by Jeremy

It’s been an unusual few weeks. Since the massive Sunburst supply chain compromise attacks, which exploited a backdoor in organizations’ SolarWinds Orion network management software, my team’s day-to-day activities have changed: we’ve spent a lot of time doing vulnerability and compromise assessments for companies alongside our usual work of remediating actual breaches and cyber incidents.  Naturally, organizations that use SolarWinds are concerned that their networks may have been exposed to the vulnerability or breached.

So we’ve spent a lot of time on calls with companies, walking them through the appropriate steps to find out if they were using the vulnerable versions of the SolarWinds Orion suite and, if they were, helping them to assess if their systems had been compromised and guiding them through the process of removing the backdoor and updating their plans. The good news is that most of our assessments resulted in no breaches being found.

Then, when this Sunburst-related work was starting to tail off, news of the Hafnium exploits of Microsoft Exchange vulnerabilities broke, launching my team into another round of compromise assessments and helping companies to patch and update their systems. It reminded me of the situation in cyber security five to 10 years ago when web shells were standard.  Back then, good security practice involved finding out

which web servers were exposed to the internet, and mitigating risks by regular patching and updates against vulnerabilities, deploying a demilitarised zone (DMZ) between web-facing servers and internal networks, closing ports that were not used, and deploying two-factor authentication (2FA) for admin access to servers. The SolarWinds and Exchange vulnerabilities highlight just how relevant those security fundamentals still are today.

Related Posts

Leave a Comment