As the CIO of a cybersecurity company, the massive breach of Solarwinds through a supply chain attack has been keeping me up at night lately. Security and IT practitioners around the world did not have a restful time these last couple weeks and holidays as they responded across public and private organizations to understand the impact and scope. Let's take a look at the timeline of the Solarwinds supply chain attack:
This supply chain compromise enabled the attacker to deploy malware through someone else's software delivery mechanism. It seems targeted to US Federal agencies while also enabling access to corporate, state, and local entities. The update was digitally signed by the Solarwinds cert which begs the question of how they got access to that (insiders?). The download site was insecure but they still had to sign it to be trusted by Windows. The list of affected organizations now includes Microsoft, Treasury Department, US Department of Commerce, NIH, CISA, DHS, US Department of State, NNSA, DOE, three states, and the City of Austin. The impact of these breaches will not be known for some time. This points to the need (just like EternalBlue did) of modernizing our stack to reduce reliance on vendors with high rates of vulnerabilities such as Microsoft, Oracle Java and Adobe and to step up our pace of patching and ability to monitor anomalous user behavior.
To sum it up, it seems like while we were arguing about wearing masks, we got owned by the Russians.
Eric is a traveller, hacker, and experimenter who is currently researching how to become a happier, calmer, and more compassionate human being.