Just When You Thought it was Bad Enough: The SolarWinds Attack

This year has been … a wild ride to say the least. 2020 has packed more in its yearly trip around the sun than some decades. First, there were the fires in Australia, Brazil, and California. Then came March, and the collective realization that things were never going to be what they were, even after the pandemic. Oh, and there was a presidential election that left everyone on edge, ongoing racial, economic, and political turmoil, and even a Brexit deal (of sorts). In short, we’ve all seen some things.

But this crazy year still had a bit more crazy to give us, and so on December 13, FireEye disclosed one of the largest, most sophisticated global intrusion & espionage campaigns in modern history, the SolarWinds supply chain attack. The compromise, which has been initially attributed to APT 29 (Cozy Bear), Russia’s foreign intelligence service, has affected at least 200 organizations directly (and potentially affected thousands more) around the world. Details are still being uncovered by the day.

A Quick Overview of the Attack

On December 13, FireEye disclosed that it had been the victim of a supply chain attack via the SolarWinds Orion platform, used to monitor and manage IT health. Attackers used digitally-signed certificates issued from the SolarWinds website to install an infected update package masquerading as a legitimate Orion software update. Once the payload was installed, communication with third-party servers was established allowing for remote access by the attackers. Then the payload removed itself and restored legitimate update files. With remote access, the attackers were able to gain additional credentials and move laterally throughout the network against specific targets. Current timelines project that the attack has been ongoing since at least March 2020, with the initial exploit going back to October – November 2019.

SolarWinds Malware Infection Chain — Microsoft Defender Research Team

The initial disclosure noted that one of the payloads, SUNBURST, had been used to conduct espionage against victim sites, and leveraged multiple sophisticated techniques to evade detection, obscure activity, and maintain persistence. One of the more clever aspects was the use of local IPs and dynamically-generated hostnames that match the victim’s environment, making the attack even more difficult to detect. There’s also potentially a second attack vector, known as SUPERNOVA that is still being investigated, but may be piggybacking on the SUNBURST vulnerability.

The attack’s complexity and many-pronged approach is complicated, highly technical, and worth a deeper dive. We’ve compiled a list of great resources to read over to better understand how the attack works (and what mitigations can be taken).

• FireEye’s Bulletin on the SUNBURST backdoor to SolarWinds
• Microsoft Defender Research Team Analysis
• Krebs on Security – SolarWinds Hack Could Affect 18k Customers
• Customer Guidance on Recent Nation-State Cyber Attacks
• Maya Kaczorowski’s (@MayaKaczorowski) Observations on the SolarWinds Supply Chain Attack

Why Supply Chain Attacks Are Spreading

We’ve talked before about the risk of supply chain attacks. Senior Consultant Carey Lening has given a talk about the growth of supply chain attacks across numerous industries, including finance, the maritime sector and industries.

What makes these attacks so challenging, is that organizations have limited control over the security posture of downstream providers. Even a Zero Trust security model is unlikely to have stopped the SolarWinds attack, as the tool itself had privileged access to enterprise servers. And despite what opportunistic vendors may be claiming, no single tool or service can prevent this.

Unfortunately, the best solutions to mitigate against future SolarWinds-style attacks tend to require buy-in from the top, both in terms of cost and resources, but also a willingness to fundamentally change how security is practiced internally. In short, a defense-in-depth, mature security model that emphasizes:

• Thorough network and device hardening, as well as adherence to baseline best practices for security;
• Comprehensive visibility of system and network activities;
• Regularly sharing and updating threat data across industries, domains and tools;
• Timely review and actioning of relevant threat indicators, including temporal analysis of compromised devices to understand lateral movements;
• Isolation and prompt investigation of machines where known-bad file signatures have been detected;
• Identification of compromised (or likely compromised) accounts.

Additionally, standards bodies, government regulators, and big industry players (looking at you, Microsoft, Amazon, Google, Apple, etc.), also need to step up and begin to enforce industry-wide changes. As the Atlantic Council notes in their detailed report on supply chain attacks, ‘Breaking trust: Shades of crisis across an insecure software supply chain’, support for robust, widely-compatible secure standards and code practice is paramount. Improving open source libraries is also another critical component that will take a village.

Finally, there should also be an emphasis on holding vendors and third party providers to account for their own security practices (or lack thereof). While there’s no such thing as perfect security, in the case of SolarWinds, security was … not exactly a priority. By rewarding firms with dollars for lackluster security practice, it sends a message that security isn’t a critical concern, and increases the attack surface.

In short, we’re all in this together, and we need to start acting accordingly.