February 28, 2021

The Daily Roar

Curated News for Traditional Americans

How $36B Palo Alto Networks narrowly avoided SolarWinds hack


  • The $36 billion security firm Palo Alto Networks almost fell victim to the hackers behind the massive SolarWinds attacks.
  • The firm detected an intrusion in late 2020 but isolated the issue before hackers could access anything, an exec told Insider.
  • It assumed it was a one-off hack attempt until the SolarWinds news broke and advises firms to “isolate” threats.
  • Visit Insider’s homepage for more stories.

In late 2020, researchers at the cybersecurity firm Palo Alto Networks detected that someone was attempting to download

malware
on one of its servers, which was operated by the IT company SolarWinds.

After an artificial intelligence-powered tool flagged the issue, they quickly shut off the download attempt, assuming it was an isolated incident. But mere weeks later, news broke that hackers had compromised SolarWinds’ software and used it to infiltrate major companies, leading cybersecurity firms, and the highest levels of the US government.

“At the time, it wasn’t a big incident for us. We thought, ‘We detected this, we stopped it, and we’re done,'” Palo Alto Networks deputy director of threat intelligence Jen Miller-Osborn told Insider. “We didn’t realize how major this was going to be.”

It dawned on Palo Alto Networks researchers that they had narrowly avoided falling victim to the hackers behind the SolarWinds breach. Since then, other security providers including Microsoft, FireEye, Crowdstrike, and MalwareBytes all disclosed that they were hacked.

Now, like many of its peers, the $36 billion company is rushing to help aid clients who might have been affected and to uncover more information about the extent of the hacks, Miller-Osborn told Insider. Cybersecurity firms are still in the early stages of identifying entities targeted by the hacking campaign, which began as early as March, and ensuring that intruders are fully booted from victims’ networks.

“We’ve learned that this was incredibly broad,” Miller-Osborn said. “This was a very large scale espionage campaign with a lot of capability and a lot of patience.”

SolarWinds hackers’ tactics are “very, very uncommon”

The hackers behind the campaign began by compromising SolarWind’s software product Orion. The malicious code was pushed to victims in Orion software updates between March and May, but rather than immediately beginning to spy on victims, the hackers waited months before activating the malicious code.

That made it exceptionally difficult to detect the hackers’ intrusion early on, according to Miller-Osborn.

“There’s really nothing anyone could have done to detect that initial component,” she said. “It wasn’t until some malicious behaviors actually started happening that there was an opportunity to detect it.”

It’s rare for cybercriminals to demonstrate so much patience, she added: “It’s very, very uncommon where you see actors who will deploy any sort of malware and have it sleep for a long period of time.”

But then, after months of waiting, the hackers attempted to deploy a “second payload” in the SolarWinds software that would have allowed them to break into victims’ networks. Researchers with Unit 42, Palo Alto Networks’ threat intelligence division, immediately detected that activation in late 2020 using the firm’s AI-powered security product, Cortex. They quickly isolated the SolarWinds server so hackers couldn’t gain access to the company’s networks.

As the security firm works with clients who might have also been affected by the SolarWinds hacks, Miller-Osborn said her team is encouraging organizations to take on a “zero trust” defense model that assumes any person or system could be compromised. Zero trust also makes it easier to isolate specific computers or servers from their broader tech infrastructure, she said. 

“You really need to catch that first victim or that first exploit and be able to isolate the box and stop the process,” she said. “Attackers will always take the easiest point of entry.”



Source link

You may have missed