Listen to this Post
Introduction:
A cyberattack on OnSolve, a critical provider of emergency alert systems, disrupted nationwide public safety communications, revealing profound supply chain vulnerabilities. This incident underscores how trusted third-party vendors can become single points of failure, turning a crisis management solution into the crisis itself. The breach, linked to stolen corporate credentials, serves as a stark lesson in credential hygiene and third-party risk management.
Learning Objectives:
- Understand the attack vector of stolen browser credentials and its impact on supply chain security.
- Learn to harden authentication mechanisms and monitor for credential exposure.
- Develop strategies for proactive third-party vendor risk assessment.
You Should Know:
1. The Anatomy of a Credential-Based Breach
The OnSolve breach reportedly began with malware that harvested browser-stored credentials from a Windows 10 Home system on September 27, 2024. These credentials provided initial access, which was then leveraged to move laterally into OnSolve’s critical infrastructure, including their GitLab, Okta, and internal Slack instances. The compromise of a single set of credentials can grant attackers a foothold into an entire corporate ecosystem.
Step-by-step guide explaining what this does and how to use it.
Step 1: Credential Harvesting. Malware, such as an info-stealer like RedLine or Vidar, executes on a victim’s machine. It scans and extracts saved passwords, cookies, and session tokens from browsers like Chrome, Firefox, and Edge.
Step 2: Lateral Movement. Attackers use the stolen credentials to authenticate into corporate web portals (e.g., gitlab.dev.onsolve.com, onsolve.okta.com). Once inside, they seek to elevate privileges and access more sensitive systems.
Step 3: Operational Disruption. With control over key platforms, attackers can deploy ransomware, exfiltrate data, or, as in this case, disrupt critical services like national emergency alert systems.
2. Hardening Authentication Against Credential Theft
Relying on simple username/password combinations stored in browsers is a high-risk practice. Implementing multi-factor authentication (MFA) and moving towards passwordless solutions are critical defensive measures.
Step-by-step guide explaining what this does and how to use it.
Step 1: Enforce Phishing-Resistant MFA. Mandate MFA on all administrative and external-facing accounts. Prefer FIDO2/WebAuthn security keys or certificate-based authentication over less secure SMS or push notifications, which can be bypassed.
Okta Admin Console: Navigate to `Security > Authenticators` to configure and enforce FIDO2 or Okta Verify for user sign-ins.
Step 2: Implement Conditional Access Policies. Use solutions like Microsoft Entra ID (Azure AD) or Okta to create policies that block sign-ins from non-compliant devices, unfamiliar locations, or untrusted networks.
Microsoft Entra ID Conditional Access Policy (PowerShell snippet to check policies):
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, Conditions
Step 3: Disable Browser Password Saving for Enterprises. Enforce a Group Policy Object (GPO) in Windows or a configuration profile on macOS to prevent browsers from saving passwords, forcing users toward enterprise-approved password managers.
Windows GPO Path: `Computer Configuration > Administrative Templates > Google > Google Chrome > Disable saving passwords to the password manager.` Set to Enabled.
3. Proactive Dark Web and Credential Monitoring
The poster, Britton White, had data on the incident by October 15th, suggesting proactive intelligence gathering. Organizations must assume breach and actively hunt for their own exposed data.
Step-by-step guide explaining what this does and how to use it.
Step 1: Subscribe to Credential Monitoring Services. Utilize services that continuously scan paste sites, criminal forums, and dark web marketplaces for your corporate email domains and credentials.
Step 2: Integrate IOCs into your SIEM. Consume threat intelligence feeds and integrate known Indicators of Compromise (IOCs) like the malicious IPs and URLs from the OnSolve breach into your Security Information and Event Management (SIEM) system for active blocking and alerting.
Splunk Search Query Example (conceptual):
index=firewall dest_ip IN ("malicious_ip_1", "malicious_ip_2") OR dest_domain IN ("malicious_domain_1", "malicious_domain_2")
| stats count by src_ip, dest_ip, dest_domain
Step 3: Regularly Audit Credential Exposure. Use scripts or tools to check if corporate credentials have been involved in known breaches.
Linux Command with `haveibeenpwned` API (using `curl` and jq):
Note: Use API key for full search. This checks a password hash.
PASSWORD_HASH=$(echo -n "yourpassword" | sha1sum | awk '{print $1}')
curl -s "https://api.pwnedpasswords.com/range/${PASSWORD_HASH:0:5}" | grep -i "${PASSWORD_HASH:5:35}"
4. Third-Party Vendor Security Assessment
The breach highlights “vendor-on-vendor” risk. A former OnSolve employee in a high-risk location was reportedly compromised by the same malware in 2023, indicating a potential pattern or insufficient internal security controls.
Step-by-step guide explaining what this does and how to use it.
Step 1: Conduct Rigorous Pre-Contract Due Diligence. Before engaging a vendor, require them to complete a standardized security questionnaire (e.g., SIG Lite) and provide recent third-party audit reports like SOC 2 Type II.
Step 2: Contractually Mandate Security Controls. Ensure contracts include clauses for mandatory MFA, prompt breach notification (e.g., within 24 hours), and right-to-audit clauses.
Step 3: Continuous Monitoring of Vendor Risk. Don’t let the assessment be a one-time event. Use security ratings platforms (e.g., SecurityScorecard, BitSight) to continuously monitor your vendors’ external security posture.
5. Incident Response and Crisis Communication Planning
OnSolve’s failure to prevent the cascading effects to their clients’ emergency services is a crisis communication failure. Your IR plan must account for third-party incidents.
Step-by-step guide explaining what this does and how to use it.
Step 1: Develop a Comprehensive IR Playbook. Create specific playbooks for scenarios including “Third-Party Data Breach” and “Ransomware Attack.” These should outline roles, responsibilities, and communication protocols.
Step 2: Establish a Secure, Out-of-Band Communication Channel. If your primary email and chat systems are compromised, how will your IR team communicate? Establish a pre-defined method, such as a non-Slack messaging app or secure satellite phones for critical staff.
Step 3: Conduct Tabletop Exercises. Regularly run simulated attacks with executive leadership and the board. The scenario should include a key vendor being compromised and test your organization’s ability to maintain operations and communicate with stakeholders.
What Undercode Say:
- The Supply Chain is Your Weakest Link. You are only as secure as your least secure vendor. A sophisticated internal security program can be completely negated by a third party with poor credential hygiene.
- Credentials are the New Perimeter. The network perimeter has dissolved. The primary battlefront is now the identity and access management layer, where stolen cookies and passwords are the keys to the kingdom.
The OnSolve breach is not an isolated incident but a symptom of a systemic issue. The fact that a former employee was compromised by the same malware a year prior points to a potentially unresolved security gap or insufficient employee training. This wasn’t a sophisticated zero-day exploit; it was a fundamental failure in basic cyber hygiene that cascaded into a national security-adjacent event. It forces a re-evaluation of what “critical infrastructure” means in a digitally connected world, where a software provider can hold the keys to public safety.
Prediction:
The OnSolve breach will catalyze a regulatory shift towards stricter, legally enforceable software liability and third-party risk management frameworks for critical service providers. Governments and large enterprises will increasingly mandate independent, continuous security audits for vendors with access to critical systems. We will see a rapid decline in the acceptance of password-only authentication, accelerated by insurance providers who will refuse to underwrite policies for organizations that do not enforce phishing-resistant MFA. The era of trusting vendors on a handshake is over; the future is verifiable, evidence-based security.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Activity 7399406197537259520 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
