Beazley Cyber Insight - SolarWinds
Over the past year we have seen significant changes to the cyber risk landscape. Ransomware has grown in frequency and severity and extortion demand amounts have risen, resulting in costly business interruption losses. Cyber attacks have no boundaries and are truly a global issue and all too often can be avoided with the right IT security and risk management procedures.
As a leading cyber insurer, we have seen an upward shift in the underlying exposure and more of our clients are in need of our expert advice and support. We have invested in a number of tools to help better identify and correct vulnerabilities and have access to data, expertise and insight to address these risks proactively.
News that threat actors had succeeded in compromising the popular SolarWinds Orion IT management platform sent shockwaves through the cybersecurity community in December. Many organizations were concerned that their networks may have been exposed, as such sophisticated exploits can have far-reaching effects.
The aftermath of SolarWinds is continuing to evolve as the Cybersecurity and Infrastructure Security Administration (CISA) warned that threat actors were exploiting initial access and moving into Microsoft cloud environments.
As frequency and severity of cyber events continues to rise, our goal remains − to improve overall risk management of our clients by raising the standards to better detect, prevent and respond to these events. We encourage you to review the following resources and best practices and cyber & tech clients should register for our risk management portal and take advantage of the resources at beazleybreachsolutions.com/cyberinsight.
On December 13, SolarWinds warned of highly sophisticated, manual supply chain attack on its widely used IT monitoring and management platform, SolarWinds Orion. Threat actors were able to modify certain SolarWinds software updates to distribute malware. Known as “SUNBURST,” the malware creates a significant vulnerability in the systems of organizations that installed the updates. By exploiting the vulnerability, threat actors can install ransomware or additional malware, steal data from the network, obtain access to network resources, and install backdoors for remote access.
Secure Microsoft cloud environments
Early in January, CISA further warned that threat actors were exploiting unauthorized access to on-premises networks, whether obtained through the SolarWinds Orion compromise or through vectors such as phishing, to pivot into Microsoft cloud environments. Tactics include compromising or bypassing identity solutions, using forged authentication tokens, and using privileged access to establish persistence. FireEye has published additional technical guidance and released a tool that organizations can use to audit their Microsoft Azure Active Directory (AD) for indicators related to these attacks.
- Review the CISA guidance on detecting post-compromise threat activity and strengthening security configurations to defend against attackers targeting cloud services.
- Review FireEye’s Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 and consider deploying the Mandiant Azure AD Investigator.
Manage supply chain risks
Even if your clients were not directly affected by the SolarWinds Orion supply chain attack, their vendors and suppliers may have been. Understanding risk requires your clients to undertake effective vendor due diligence. They will want to identify vendors who may be at risk, determine whether their data or IT resources may have been accessed, and vet their vendors going forward.
- Beazley cyber & tech clients can watch our webinar Cybercrime Spotlight: Top Threats for 2021 to learn how to check the supply chain.
- SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- Microsoft Security Response Center, Customer Guidance on Recent Nation-State Cyber Attacks
- CISA Alert AA21-008A, Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
- CISA Analysis Report AR21-013A, Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services
- FireEye, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452