Identity at the Center Identity at the Center #75 - SolarWinds Breach with Paul Volosen
Dec 28, 2020
In this engaging discussion, Paul Volosen, an Information Security Architect and VP at Mitsubishi UFJ Financial Group, dives into the alarming SolarWinds breach. He explains the Trojanized updates and their stealthy execution, highlighting the implications for Active Directory and identity access management. Paul reveals how attackers leveraged theft of private keys to impersonate users and outlines the broad international impact. He stresses the importance of monitoring vendor privileges and shares how MFA played a crucial role in the breach's discovery.
AI Snips
Chapters
Transcript
Episode notes
Supply-Chain Trojanized Updates
- The SolarWinds Orion compromise inserted Trojanized updates into a popular network management tool between March and June 2020.
- That supply-chain intrusion potentially affected ~18,000 customers and gave attackers high-privilege footholds.
Advanced Anti-Detection Behaviors
- The malware used multiple anti-detection checks like detecting VMs, SolarWinds environments, and security tools before executing.
- These heuristics delayed detection and complicated forensic inspection across victims' networks.
On-Prem Attack Leads To Cloud Compromise
- Once active, the trojan created accounts and escalated privileges using the Orion service's high permissions.
- Attackers targeted on-prem AD to reach domain admin and abuse federation to access cloud resources.