Anatomy of a Breach

Anatomy of a Breach

The fallout of a breach is serious.

In recent months, the seriousness of a breach fallout has been shown in the cyber incidents at SolarWinds, Colonial Pipeline, and Kaseya.

In December 2020, in a SEC filing, SolarWinds said it was a victim of a supply chain attack in which the company’s Orion software build system was breached. The company said 18,000 customers were affected. In its First Quarter 2021 Preliminary Financial Results, SolarWinds said it spent between $18 million and $19 million in the first quarter of 2021 to investigate and remediate the breach incident.

In May 2021, Colonial Pipeline disclosed that it responded to a ransomware attack on its system by proactively taking certain systems offline and temporarily halting all pipeline operations. The company also paid the ransomware attackers $5 million.

Just this month, Kaseya disclosed that 60 customers, all of which were using the Kaseya VSA on-premises product and many of which provide IT services to multiple other companies, were impacted by the ransomware attack on Kaseya.

The ransomware attack on Kaseya affected 1,500 downstreambusinesses. Swedish supermarket Coop, one of the affected businesses, for a time, temporarily stopped its operation due to the attack on Kaseya.

In a breach, the turmoil that happens in the background doesn’t make it to the breached company’s press statement. These include staff confusion of what happened and a barrage of customers trying to get hold of the company representative of what actually transpired.

How Hackers Break In

In the case of the SolarWinds breach, SolarWinds CEO Sudhakar Ramakrishna said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in technical and business roles. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment,” Ramakrishna said.

In the case of the Colonial Pipeline breach, Charles Carmakal, senior vice president at cybersecurity firm Mandiant told Bloomberg that attackers were able to initially compromise Colonial Pipeline systems through a dormant VPN account.

The VPN account, which has since been deactivated, didn’t use multi-factor authentication (MFA), Carmakal said. It isn’t clear how the attackers got hold of the VPN account password. The password, however, is part of the leaked passwords on the dark web.

In the case of the Kaseya breach, researchers at Cisco Talos Intelligence Group reported that the initial compromise of Kaseya VSA servers appears to have been the result of the successful exploitation of an unpatched software vulnerability CVE-2021-30116. This vulnerability in Kaseya VSA before 9.5.7 allows credential disclosure. In the case of the Kaseya breach, the attackers used the credential disclosure to gain privileged access to vulnerable Kaseya VSA servers for the purposes of ransomware deployment. 

Stages of a Breach

Stage 1: Initial Foothold

As shown in the above-mentioned breaches, attackers used different initial entry tactics in gaining an initial foothold of their victim’s systems. In the case of the Solarwinds breach, the attackers gained initial entry to the company’s systems by compromising an email account.

In the case of the Colonial Pipeline breach, the attackers gained initial entry to the company’s systems through a dormant VPN account thatwas unprotected by MFA. In the case of the Kaseya breach, the attackers gained initial entry to the company’s systems through unpatched software vulnerability.

Stage 2: Gaining Elevated Control

Once attackers gain an initial foothold on the victim’s systems, they then aim to escalate their privilege. Attackers may take control of the local system, or look for other systems that offer a greater chance ofgaining greater access to valuable data or administrative privileges.

Keylogger and network scanning are two tactics used by attackers in gaining elevated control. Keylogger is a type of malicious software (malware) that records the keyboard keys that the user presses. Attackers capture user’s other usernames and passwords through keylogger.

In network scanning, attackers catalog the systems that can be accessed. These include services, host machines, and resources that are active on the victim’s network.

Stage 3: Expanding to the Network

After gaining elevated control, attackers install a permanent backdoor or alternate mechanism for long-term access to the systems. Botnet and living off the land are two of the tactics often used by attackers at this stage.

In the botnet tactic, the compromised computer is infected withmalware and made part of a group of infected computers controlled by the attackers for malicious activities such as distributed denial-of-service (DDoS) attacks. In living off the land, meanwhile, attackers utilize native resources, as opposed to malware, giving the attackersthe freedom to come and go and move around the networks undetected and staying off the radar of security systems.

Stage 4: Staying for the Short or Long Term

After expanding to the network, the attackers may stay either for short or long term. The length of the period depends on the attackers’ motivation, whether for fame, money, revenge, or political reasons.

For attackers who wish to stay for long term on the compromised network, a backdoor is often employed. A backdoor is an entry point into a network or system allowing the attackers continued access.

For attackers who wish to stay for short term only on the compromised network, attackers use the smash-and-grab technique, that is, after compromising the system, they steal data and quickly leave.