On December 14, it was revealed that 18,000 organizations around the world downloaded network management tools containing a backdoor that was used to install malware in organizations that used the software from SolarWinds.
The attacks hit the Department of Homeland Security, as well as the U.S. departments of Treasury and Commerce, parts of the Defense Department and the State Department, and National Institutes of Health.
Publications including The Washington Post and The New York Times cited unnamed government officials that said Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service (FSB) was behind the compromises.
In response, The Cybersecurity Infrastructure and Security Agency issued an alert directing all federal agencies to disconnect SolarWinds products immediately. As a FireEye blog post noted, the campaign may have been going on for months, possibly since March 2020.
Founded in 1999, SolarWinds — which is also a Thoma Bravo company — is a familiar tool for IT operations and monitoring teams across enterprises of all sizes.
Despite the severity of this incident, there are steps that IT operations and monitoring teams can do to prevent similar cyberattacks. According to William White, Security and IT Director of BigPanda, the solution is choosing SaaS solutions instead of on-premises software such as SolarWinds.
For example, SaaS solutions can help retain control as you decide what data you send to the SaaS provider and there is no need to install software locally. SaaS-based software also eliminates the need to install complex third-party software and avoids the need to grant elevated permissions or highly privileged accounts for the software to run. These elevated permissions can create risks, and don’t exist with SaaS solutions.
SaaS-based software tools also remove the need to review vendor patches or hotfixes, and SaaS solutions mean businesses don’t have to exclude directories or policies from antivirus and anti-malware scans. This is how the SolarWinds exploit avoided detection, since the malicious code had a safe harbor to help it avoid detection.
SaaS-based software isn't just monitored and secure, but because the data is encrypted by default, customer information is often secure in the event of a hack.