Is Oracle Database safe from the SolarWinds hack? For the past month, the tech world has been reeling from the news that a SolarWinds exploit successfully compromised several of the most secure organizations in the world. According to The Wall Street Journal, these include The United States Departments of Commerce and Treasury, Deloitte, VMware, Cisco and Intel. With SolarWinds being so pervasive, I felt that our team at Performance Tuning Corporation should assess the risk of the SolarWinds hack to our Oracle Database consulting clients.
The first point of focus was Oracle itself. How did Oracle respond to the SolarWinds hack?
In response to a request from eWeek, Deborah Hellinger, Oracle Vice President of Communications stated:
“Oracle does not use any SolarWinds Orion product as part of any Oracle product or cloud service. Oracle has no deployed instances of affected SolarWinds product versions in its corporate network, and our investigations have found no suspicious activity or indications of compromise.”
All Oracle Databases are Safe from the SolarWinds Hack!
The SolarWinds hack is a direct threat to Oracle Database deployments and the data managed by them. This attack and others like it allow for automated tools to gain escalated privileges and to move laterally inside of an organization. This lateral movement provides a direct threat to critical systems including the Oracle Database.
While security teams have been tasked with keeping malicious actors out of our systems, too frequently they have not been empowered to make use of the tools Oracle provides to secure the Oracle Database. Oracle provides a rich set of tools to ensure the security of Oracle Databases and the data they contain. These include Database Vault, Database Firewall and Transparent Data Encryption as well as others. When managed properly, these tools dramatically improve the security posture of Oracle Database and the data stored within. This is not an isolated incident and we must accept that we are likely compromised already or soon will be.
The SolarWinds Orion hack is large and impactful but it is only an example of the risk we all face. To understand why, we should look at the attribution of the activity as well as the timeline. The resources behind this most public exploit, presumed to be Russian SVR, aka ATP29 and Cozy Bear, are effectively bottomless, The resulting damage? According to an article in ZDNET, “The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.” This is not the only attack of this scale in progress nor the only state-sponsored group developing these sophisticated approaches. In fact, on Dec 18th, 2020, CISA released alert AA20-352A wherein they indicate that vectors other than SolarWinds Orion have been documented and are under further analysis. Just as concerning is the amount of time that this exploit and, we can surmise, others like it remain active before discovery.
According to several reports, SolarWinds has traced the initial compromise to files distributed in October 2019 as a dry run. Five months later, the attack was weaponized and released to SolarWinds customers between March 20th and June 20th of 2020. While the world was focused on the Covid-19 Pandemic, Russia was deploying an incredibly significant attack on 18,000 companies. Palo Alto Networks has provided an excellent graphic on the timeline here.
In short, the SolarWinds hack evolved from tested to live in 5 months, deployed over three months and was active for nine months before its discovery by the NSA, FireEye and SolarWinds in December of 2020.
I felt that describing the scope and timeline of the attack was critical in understanding that, as a class of attack, the SolarWinds hack is a direct threat to the Oracle Database. Accepting that there is a threat is the first step in overcoming it. I hope the information provided helps some companies accept the potential for harm and take steps to address gaps in their current Oracle Database Security posture.