The threat actors could perform virtually any task disguised as SolarWinds and even took great care not to execute on systems that had advanced vendor security monitoring and hardening present. The application itself was compromised via automatic updates and the threat actors leveraged unrestricted privileged access throughout the victims' environment using the application. In the case of SolarWinds, that is exactly what happened.
Thus, they are allowed full and unrestricted access to operate, which presents a massive attack surface. If the accounts have privileges and permissions removed, the application will most likely fail. The core issue is that these global administrative accounts are needed for the solution to operate correctly and, thus, they cannot operate using the concept of least privilege application management, which is a security best practice. Global shared admin accounts exist in many tools we commonly find today on premise and operating within our environments, including network management solutions, vulnerability management solutions, asset discovery tools, and mobile device management solutions, to name a few.
Global shared administrative access is typically used by legacy applications to monitor, manage, and automate on-premise technology. This type of access has been dubbed “god privileges” by many security professionals and introduces massive, unmitigable risk. The account is permitted to operate on behalf of a user, the system itself, or an application across any asset or resource within an environment.
For instance, the account may be allow-listed within application control software and excluded from antivirus software, so it is not blocked or flagged. This typically means security exceptions are made for it to operate unencumbered. What is global shared administrator access? It refers to when an account(s) has unrestricted access to an environment. This core security problem is the need for any application to have unrestricted access to everything on the wire, or in privileged access management terms, global (or domain) shared administrator (or root) access. With that said, organizations can take strategic steps to prevent this type of attack vector in the future-if they understand and address one of the fundamental problems of legacy infrastructure management. No vendor can legitimately claim that their solution would have outright prevented the attack on SolarWinds, and we should be wary of any such claims. Understanding the SolarWinds Attack and Application Privileges For the attacker, this digital infrastructure also presents the means to accumulate extraordinary wealth via stolen secrets, intellectual property, holding assets in ransom or blackmail, or by sabotaging the prospects of an adversary, whether a competitor or nation. We are also reminded that we have created an amazing digital infrastructure that, if compromised and its runtime and secrets stolen, could pose a massive impact to our world, economy, and the life we are slowly getting used to during a pandemic. You always can and should strive to reduce risk, but that risk dial never goes completely to nil. No amount of security controls, software, processes, and training can block every attack. In a year of brutal lessons, this attack serves as a very loud and humbling reminder-anyone can be hacked. The sophisticated, nation-state assault used to infiltrate SolarWinds Orion and then leveraged to compromise potentially thousands of its customers is astonishing in scope and potential fallout.