I always want more access, so does Russia
The Russians are probably lurking elsewhere in a Solarwinds victim’s environment, but that shouldn’t shock you
The SolarWinds hack (and now Exchange) has taken over the news recently, and many security practitioners are curious about how to respond. As an attacker, I will candidly tell you that if you were breached, your best strategy is to assume Russia has established a presence in your network, and respond (reimage your endpoints) accordingly. It’s easy to feel like hackers are unstoppable forces of nature. But they make mistakes, take risks, and above all, fear being caught. To help you understand what went wrong, let me take you through what I would do (and Russia probably did) to move laterally within a system.
Once an attacker is in an organization’s network (a SolarWinds customer in this case), their next move is pretty much to hurry up and wait — and critically not get caught. As the adversary, I’m in surveillance mode and situational awareness is key. I’m operating in a territory of unknowns. I’m not just going to land and expand as soon as I have access, because every step I take increases the likelihood I’m going to be caught. And getting caught means I’m kicked off the system and likely losing access to my exploit (which I no doubt either paid a lot for or spent a long time creating).
Watching and waiting + escalating privileges
In the Solarwinds case, the attackers landed on systems with admin privileges, but often an attacker doesn’t, which means one of the first steps is hunting for credentials as users signin and signout of the surveilled machine. Also, I can’t edit the logs to erase evidence of my presence, so I need to find anything on the local network that’s making itself known and can learn about its presence without having to send any traffic. Only once I’ve learned a lot more information and collected a number of backup credentials — when it’s no longer your box, but my box — will it be time to move on to other assets.
It’s like infiltrating an airport. You know the language, but you don’t know much else. You don’t know the time tables of arrivals and departures, where the luggage is processed or how the security guards move. All you can safely do at this point is absorb information by looking for recognizable signs. Which locked doors require security clearance? Who will be coming through this airport and what will they have with them of value when they do? What other airports does this one connect with?
I’ll profile everything I can about the system — how many systems does it have access to, have admins logged on recently, and what sort of defensive tools is it running?
Making your box my box: getting root access
Once I know enough about the machine — the pattern of life — and I’m confident I won’t get caught, I can switch from passive to active reconnaissance. I can start to query the system for information I need. I can look for who’s traveling through my space and how they’re moving. I can see where they are going next and I can even keep a log of the credentials they use to get there. In a public space, I may touch a web server, and query that for information.
After using the access I already have — gleaning all the intelligence available — I need to get more access (I always want more access.) My ultimate goal is root access — I want even more control than you have. I have to do some research here: go to google and understand more about escalation options available. One of my favorite things to do is disable protections on local systems so that local defenders can’t monitor my actions. Sometimes, I’ll set up an implant that gives me connectivity. Sometimes I’ll install an alternate access system as a safety net that I can use to get back in six months or a year down the road. I’m looking for total dominance of the asset I’ve infiltrated- making your box my box. In the airport analogy, I’m shedding my passenger disguise and turning into the floor manager.
An incident response team once probed one of my team’s toeholds in their environment, giving us the information we needed to pivot onto their computer. Once there, we were able to watch and disrupt their actions in real time, even stealing credentials from them. Suddenly they were running in circles, having to do forensics on their own forensics. We watched on their surveillance cameras as an IT person crawled through the sub ceiling of their offices following cables.
Land and expand
Now I can start to reach out to other systems, but I have to treat each new box I infiltrate the same — keep a low profile until I have a solid understanding of the machine and what’s going on there. I don’t want to make a lot of noise, but I want to learn as much as possible. You can see a pattern developing here. This process gets rinsed and repeated several times until I’m multiple boxes deep. Once I have that kind of toehold, I feel confident that even if the defense starts to run incident response, I have a backup plan: I will make a diversion somewhere far away from where I’m hiding.
Here’s an example: my team and I once compromised a security appliance at a financial company. We were in the system, but with extremely low privileges. So the first order of business was get ourselves out of the logs and get root privilege so we could learn more about this box. After some more recon, we figured out people were logging into the system in order to send “secure” emails. We were able to create a “secure” email account and stress the system from there. These stress tests helped us find a bug that took us from end-user access to web server access/control. So we changed some code to harvest credentials from everybody coming into the system. This was, by the way, one tactic used by the SolarWinds attackers. In our case, we just let that run for about a week — we were hedging our bets here: even if we got no further than this box, we would at least have a list of credentials we might be able to use elsewhere.
Next, we started passively listening to network traffic. We realized we could actually see some other computers. We couldn’t see everything, but we had a window. And luckily, we found this system did have some ability to ask questions from a local domain. So we started asking questions. Questions like, ‘What is every other machine in the network?’ or ‘How many users are currently on the network and what are their credentials? We had moved into active reconnaissance. Eventually, that led us to figure out what other computers on the network we could reach.
Victims of the SolarWinds attack should act as though the Russians are still lurking beyond your Solarwinds box — they have toeholds elsewhere in your system. Do what you can to get visibility and find out where else they are in your system. It comes down to the fundamentals: implementation, logging and monitoring.
Assume I already succeeded
The point of the story above, is not to scare you into thinking hackers are omniscient. We happened to successfully move through the system’s assets pretty easily in this case, but only for the grace of many mistakes on the parts of the defender. As we were getting root access and probing other networks, we were triggering alerts left and right. And we had no way of knowing if, where or when those alerts were being fired. The only way we were able to continue our work was that the IR team saw strange traffic and chose not to investigate. With the right triggers and proactive response protocol, IR teams can make life very difficult for people like me. However, this is an ongoing effort. If you ever spot me in your system, you must assume I also have toeholds elsewhere.