SolarWinds - Breaching Two Factor Authentication

It wouldn’t be 2020 without one last rotten cyber surprise, with the potential compromise of multiple Fortune 500 firms and US government agencies, including the Treasury, the State Department, the Pentagon, and the Department of Homeland Security. The breach was traced backed to software vendor SolarWinds, who provide a platform which integrates with servers, network appliances, and other internal systems for centralized monitoring and management of a firm’s IT infrastructure.

Reports from the New York Times, Wired, Reuters allege that a wing of the Russian foreign intelligence service is responsible for the attack, and traces of compromise have been detected dating back to spring 2020. Cyber espionage group “Cozy Bear” are believed to have modified SolarWind’s update mechanism to distribute an altered version of their Orion software to customers, opening a backdoor into the private networks of hundreds of organizations. Once inside, they appear to have pivoted and breached individual servers, allowing them to compromise specific accounts and systems.

That last aspect of the attack is of particular interest. Ars Technica ran a story detailing how the Cozy Bear group have been observed to bypass two-factor authentication in the past, giving some insight into how they’re able to capitalize on a foothold in a target network. To be perfectly clear – this kind of attack requires existing network access. However, once a beachhead has been established, the attacker has access to the internal server which is responsible for authentication.

Two-factor authentication ("2FA") adds an additional layer of protection to any authentication system. There are many vendors who provide 2FA ‘as a service’, integrating their external solution with an organization’s own servers. In order to accomplish this, there must be trust established between the primary servers and the second-factor provider, by way of a uniquely generated, secret passphrase which is shared between the two systems. By extracting that passphrase, the attackers were able to calculate the resultant cookie which would be generated by a successful two-factor challenge. This allows them to turn back round and trick the original server into thinking that the 2FA check had already been completed.

By ‘bypassing’ the two-factor authentication in this way, the control is neutered – and all the attacker needs to access a mailbox, or another type of account, is the username and password to initiate the login. This type of attack is technically sophisticated, and again – is only possible with pre-existing access to the system in question. This kind of 2FA bypass would not be possible from outside the target network.

We can take some key points away from this incident as it unfolds:

• Mind the supply chain: while this appears to have been a highly complex attack by a state actor, the payoff was huge: by compromising a vendor of network monitoring software, the attackers were able to gain backdoor access to that vendor’s clients, giving them the ability, in one broad swoop, to compromise multiple, high-value targets. No business operates on an island – everyone has service providers and vendors, and those are potential points of vulnerability.
  
  
• Keep it secret, keep it safe: complex IT environments are an inevitability with the increasing size and scope of larger organizations. Complexity becomes unruly without integration, and in order to accomplish this integration (such as an external 2FA provider or a single sign-on solution shared between platforms), there must be shared secrets which establish trust between them. These keys must be given the appropriate care and stored with commensurate security controls.
  
  
• Beware the pivot: we see, in this example, the importance of understanding how interconnected our networks are, and how a breach in one area can ultimately result in access to a seemingly unrelated system. Motivated attackers will use a single foothold to perform reconnaissance and probe for other weaknesses. Controls must be enacted within a network and on individual machines – it is not adequate to enact security measures at the network edge alone.
  
  
• Defense in depth: If there’s one actionable takeaway from the 2FA bypass element of this story, it’s the importance of implementing compensatory controls. While 2FA provides a vast improvement in individual account security, it is not infallible – there is no single, silver bullet solution which will always keep everything safe, forever. 2FA is an industry standard control, and we advocate its implementation – but not to the dismissal of strong password policies and credential management, along with other measures around access control, network access, and data classification. When you install a security system, you don’t stop locking the front door when you leave for work – the very principle of defense in depth is that multiple controls overlap, and compensate for each other, such that a failure of one of many security measures does not result in a system being completely exposed.

These are all crucial points to consider as an asset manager – and valuable conversations to be had from the perspective of a due diligence practitioner. Are tools being correctly configured, with access keys and shared secrets properly protected? Are firewalls and security controls enabled on individual servers and workstations as well as the network edge? Is the attitude “We’re doing x, so everything’s fine” or is it “We’re doing x, and we’re reinforcing that with y and z”?

As we’ve written before – cybersecurity is a dynamic domain, and as in any arms race, bad actors will continue to develop new ways to bypass state-of-the-art controls soon after they’re implemented. Given that no single security tool is infallible, it’s all the more important to employ multiple, parallel controls, and to ensure that new strategies are evaluated and implemented as they become available. The cybersecurity arena is no place to rest on one’s laurels.