Tripwire Enterprise Detects Solarwinds Vulnerability

One of the biggest attacks in recent history is the Solarwinds hack that came to light in December of 2020. The actual attack began in 2019 when suspected Russian state actors were able to plant a “backdoor” inside of a Solarwinds software update. This then gave the attackers access to Solarwinds customers’ networks, allowing them to quietly monitor their activity for close to a year. This resulted in the jeopardization of sensitive data from hundreds of companies as well as government institutions..

It appears as though the attackers exclusively used their access to networks for monitoring purposes, but the breadth of the networks the attack touched gave it the potential to be the most damaging and costly attack of all time.

Tripwire exists to combat that risk and ensure that the digital integrity of its customers is never compromised. For this reason, Tripwire was eager to assist when a long-standing customer, who was also a Solarwinds customer, reached out to Tripwire for assurance that they had been unaffected by the Solarwinds hack.

The company that reached out to Tripwire is a massive communications company and therefore employs a variety of cybersecurity equipment for specific use cases. For this reason, this company needed Tripwire to determine whether or not any of their systems used the Solarwinds software and were exposed to the malicious code.

In order to achieve this, Tripwire first determined the specific files and file hash content associated with the attack. The Security Engineering & Assurance team quickly downloaded the malicious hash content and imported it into Tripwire Enterprise. Scans were then run checking for the presence of the assets using only pre-existing Tripwire Enterprise rules such as critical change auditing and white list profiling in order to generate the report. Results came back quickly and the entire process concluded within a couple of hours.

The findings indicated that the company did in fact have some systems in its environment that had the malicious Solarwinds software installed on it. The findings were then forwarded to the company’s security and operations team for containment and removal.

The findings were precise and enabled their team to identify specifically where the malicious content had been embedded and therefore what information may have been compromised. It is important to note that no other security software used by the company was able to detect the presence of the malicious code across their systems.

The company was highly impressed with the results, as reflected by this quote from its senior cyber security engineer:

“I want to let you know this week Tripwire has really shined in our environment and we are showing our value.”

This successful utilization of Tripwire Enterprise demonstrates its ability to accurately locate highly specific malicious content. Such a capability enables cybersecurity personnel to respond quickly and accurately in circumstances where speed and accuracy can prevent tremendous damages.

As we take into account the future of cybersecurity and cyber attacks, it is evident that new common practices must be put into place in order to limit the possibility of disastrous attacks such as this one occurring again. First, it is necessary for everyone to understand that there is absolutely no such thing as immunity to cyberattacks. The irony behind the Solarwinds attack is that the companies that were exposed to the malicious software update were simply trying to secure their network by updating their security software. Therefore it stands to reason that companies must maintain a constant vigilance in order to protect their network.

Another key element to reducing the possibility of such an attack occurring is education. This is the responsibility of everyone from software engineers to sales representatives to end users. A more educated IT and OT space is much better equipped to tackle the most pressing cybersecurity issues together.