What was the mechanism for exfiltrating FireEye's redhat tools in the recent SolarWinds hack? I understand it was via HTTP (small packets to many servers)? Are there any further details?
Is this a likely ongoing systemic threat or can it be mitigated? If malware is active for long enough, can it split confidential data into small packets and post via small http requests to many IPs, 'slipping by' DLP?
I am assuming FireEye's DLP was about as good as you could reasonably expect.
From what it seems like it was a Nation State Attack in which Solar Winds was compromised and some of their codebase in certain listed products were trojanized so that when customers patched and updated Orion in their environments they had unknowingly introduced malicious code that could basically take control of network devices that were managed by the malicious and trojanized product. The C2C traffic was disguised (and highly evasive), as traffic related to the Orion Improvement Program (OIP). After this the attackers were able to engage with the target, perform reconnaissance and take advantage of other weaknesses within the environment to potentially try to exfiltrate data and maintain persistence. It was an attack that even used steganography. If FireEye hadn't caught it, it could have gone on much longer.
They have a really good article about it here where they list of detection opportunities:
CISA Issued this emergency directive https://cyber.dhs.gov/ed/21-01/
Orgs running the vulnerable version need to shut down their Orion and rebuild their Orion and in some cases their net environment. Patching Orion to the updated level is not enough. Only though a rebuild and patching and credential changes can orgs get back to safety. Additional monitoring is wise.
Fireeye Published their Red Team tool Countermeasures as a result and have made available on github: https://github.com/fireeye/red_team_tool_countermeasures
It is estimated that 18,000 customers potentially affected by the incident, although not all of those were actively being targeted.
