While the certificate needs to be revoked at some point, revoking the certificate now is unlikely to do a whole lot. In this case, they were actually deploying it through SolarWinds own distribution channels.
This isn't a case where we know that an attacker compromised a certificate and is then using it to deploy software or malware through their own channels. We don’t believe the certificate itself was compromised.
The certificate was issued by Symantec with serial number 0fe973752022a606adf2a36e345dc0ed. This strongly points to a supply chain attack.
The malware was deployed as part of an update from SolarWinds’ own servers and was digitally signed by a valid digital certificate bearing their name.
SolarWinds has over 300,000 customers and many of them heavy hitters, much of the US Federal government including the Department of Defense, 425 of the US Fortune 500, and lots of customers worldwide. SolarWinds is to NMS as Kleenex™ is to tissues. The better question would be, who doesn’t use SolarWinds? They are one of, if not the, Network Management System. One of the big takeaways from this event is going to be more involvement between our IT and IT security teams in trying to level set and answer the question: “What risk are we taking on these Network Management Systems?” Who Uses SolarWinds? What we’re really looking for in the majority of cases is the status of the individual, a communications link. That doesn’t really provide any information either the ping succeeded or it didn’t.
At the very base level, it may be something just as simple as a ping command. One reason for this is because in order to monitor systems they have to do some type of system integration.
Not every organization is going to have SolarWinds configured identically, but when they do have SolarWinds configured, it is definitely a great targeting point for attackers. The Orion NMS has broad capabilities for monitoring and managing systems, including servers, workstations, network devices, etc. An attacker who compromised an NMS can usually reshape network traffic for MitM opportunities and can often use credentials for system monitoring to laterally move to target systems. Even when NMS are “monitor only” the credentials used still offer some level of access to the attacker. Any changes the NMS can make, the attacker can too. This means that the Network Management System can make changes on behalf of its configuration. Second, many NMS are configured to both monitor for events and respond to them. First, the Network Management Systems must be able to communicate with all devices being managed and monitored so outbound ACLs are ineffective., making it a prime location. NMS are prime targets for attackers for a variety of reasons. Not to be confused with NSM, which in security is a network security monitor. The most widely deployed SolarWinds product is Orion, which is a Network Management System (NMS). SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. Shortly after, Ellen Nakashima of the Washington Post confirmed with background sources that the US Treasury breach was perpetrated by the same group that targeted FireEye, that SolarWinds was involved in both breaches, and that it was perpetrated by threat group APT29 (Cozy Bear/Russian SVR). That the US Treasury Department has been compromised by a sophisticated adversary. On December 13 Chris Bing of Reuters broke the story That it had been hacked by a nation-state and since that announcement they’ve been incredibly transparent, publishing information about the breach and what they’ve learned about it in their investigation. Of course, as it is an evolving situation, we will likely know more as the days progress, but this is what we know as of now. Supply chain attacks are not common and the SolarWinds Supply-Chain Attack is one of the most potentially damaging attacks we’ve seen in recent memory. You can find the presentation slides here. This was transcribed from Jake Williams' webcast on December 14th, 2020.