A Voice in the Wild: Did The SolarWinds Attack Include an Advanced Persistent Threat to Voice, Video, and Messaging Platforms?

Earlier this week, Microsoft Corporation’s President Brad Smith said that the “SolarWinds” hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is “the largest and most sophisticated attack the world has ever seen.”

According to Reuters, the operation, which was identified in December and that the U.S. government has said was likely orchestrated by Russia, breached software made by SolarWinds Corp, giving hackers access to thousands of companies and government offices that used its products.

The hackers got access to emails at the U.S. Treasury, Justice and Commerce departments, and other agencies.

Cybersecurity experts have said it could take months to identify the compromised systems and expel the hackers.

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said during an interview that aired on Sunday on the CBS program “60 Minutes.”

The breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software, and likely relied on hundreds of engineers.

SolarWinds’s investigation hasn’t identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, according to Microsoft O365 CEO Sudhakar Ramakrishna. Instead, by compromising the credentials of SolarWinds staff, the hackers were able to gain access to and exploit the SolarWinds development environment.

The US Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.

While investigations are ongoing, and new information is being revealed on a near-daily basis, we asked Internet and VoIP pioneer David Walsh, currently CEO of XChangePoint Networks, and before that CEO and Chairman of Ribbon Communications, one of the largest security border control providers, and Co-Founder of Kandy, a company recently acquired by AVCT which provides CPaaS, UCaaS, and other Real-Time Communications (RTC) offerings, if cloud-based collaboration applications are vulnerable to Advanced Persistent Threats (APTs).

“The way enterprises work today is dramatically different than it was just a year ago,” Walsh said. “The COVID-19 health crisis accelerated digital transformation of real-time collaboration, as organizations were forced to move to Cloud Communications to support Work From Home scenarios, supporting hundreds of millions of workers around the world.  For many organizations, including healthcare providers, health insurance providers, banks, financial services companies, government agencies and more, this meant moving massive contact centers to the cloud, in many cases over a weekend.”

Walsh explained that for organizations handling very sensitive information, the rush to take so many workers online from their homes, outside the typical physical security perimeters associated with offices, meant standing up solutions without the full suite of security capabilities built-in.

“For example, the US Government agreed to drop HIPAA compliance regulations associated with telemedicine, putting the private information of hundreds of millions of patients at risk. There simply was no choice,” Walsh said.

Today we are seeing IT and security operations professionals investing in protecting interactions, data, and reputations with advanced cybersecurity solutions.

“One of the areas often ignored is RTC, especially voice, as voice is growing, thanks to cloud-based platforms, and the transformation of contact centers who now use everything from live human voice to Natural Language Processing automated voice as part of modern Robotic Process Automation, which is tempting adversaries to hack into millions of conversations as valuable attack vectors,” Walsh said.

With Remote Access in place, employees can tap resources in ways they may have been unable to do in a premise-based location with local networking controlling that access. Remote Access means a surge of uncontrolled endpoints, and SSL VPNs, subject to credential stuffing, password spraying, phishing, and new malware threats (89% of which have been linked to COVID-19 according to Carbon Black).

Walsh, who is also Chairman of a browser and web threat isolation software company, Isoolate, continued, “In the RTC cloud world, mobile applications lead to a wild, wild west and threw mobile device management and BYOD into a new realm, triggering massive security and compliance audits. The rise of collaboration platforms, from WebEx to Zoom, which allowed teams to continue to collaborate, lead to phenomenon like Zoom-bombing and the stealing and sharing of passwords.

Media coverage of attacks spanned issues in the infrastructures of some of the world’s largest and most respected companies, including AWS and Azure cloud server takeovers.

“APIs are presenting another new challenge,” according to Walsh. “In our increasingly API-driven world, with so many great innovations, we’ve seen injection attacks and Authentication/Authorization weaknesses. Especially on mobile devices, extremely realistic malicious emails leading to fake websites are causing a tremendous amount of destruction. Mobile browsers are very attractive to bad actors, and because so much more is being done on smartphones, a trend that began long before the pandemic, this is an area of top priority for CISOs.

Walsh also pointed out a largely hidden trend with respect to the surge in SIP traffic, which served to highlight the dangers of unprotected SIP networks. “A solid enterprise security posture today includes protection at the edge, in the network for data in motion, in the cloud for data at rest, and in the middle of Microsoft Teams or Zoom conferences, which these vendors are dealing with by investing in real-time detection of the problem, on-demand mitigation to optimize fraud protection, and extremely important edge device security solutions like browser and web isolation which can prevent a huge amount of damage by not allowing employees to see anything more than a rendered web page when they are browsing, blocking the links that open the door to not only one employee’s device, but to the corporate resources they have access to. A pivot attack can bring down services and can be used to exfiltrate confidential data, including vaccine science which we saw in the second half of 2020.”

Walsh says the good news is that RTC solutions are saving the economy, making it possible for people to work from home to keep businesses, essential systems, and entire economies going. “By understanding the entire threat landscape, including voice, video, and messaging vulnerabilities, and by putting the right security solutions in place, we are contributing to the come-back, while also preparing for future threats with more real-time intelligence built-in. We have to accept how profoundly sophisticated cybercriminals and state actors are today, how much money they are investing to steal information or hold businesses and governments hostage and fight back before we lose the new lifeblood of getting work done, remotely and constantly connected.”

Originally published on Internet Telephony