This week’s cybersecurity news has been dominated by one event, the SolarWinds supply chain attack. On Sunday, the Washington Post published an article detailing who is possibly behind the attack. The sentiment was echoed in a New York Times article published on the same day. While the finger-pointing has begun in earnest and will be covered in more detail below, how the attack was carried out will be of interest to many in the InfoSec community.
Details of the attack are still emerging, and will likely still emerge for some time, but a summary of the attack is needed before a dive into the how is done. On Monday, December 14, 2020, the US government ordered several emergency measures to be taken to recover from potentially the most sophisticated cyber incident to occur in years. The attack made use of using compromised software updates to gain access to potentially thousands of private and public enterprises. Based on initial reports and admissions, the attack was enabled when hackers managed to insert malicious code into software updates for SolarWinds’ Orion product. Orion is used by some 275,000 customers worldwide, including Fortune 500 companies and US government agencies. The compromised updates were released in March and June of this year meaning some victims may have been compromised for nine months.
Attacks like this have been termed supply chain attacks and involve a threat actor compromising the supply chain of a third party, in this case, SolarWinds, and inserting malicious code into the third-parties product to compromise victims who use the product. Another example of such an attack was the campaigns distributing NotPetya where the attackers inserted malicious code into a popular accounting software’s software update.
As to who may have been impacted by the compromised Orion update, SolarWinds believe no more than 18,000 public and private organizations may have been affected as that is the amount of Orion’s userbase that downloaded the update. Security firm FireEye revealed that it had been impacted by the attack but believed that no important client information was compromised. The attackers did manage to get tools used by the company’s Red Team; employees hired to test the security of companies. As for public organizations, the Treasury Department and certain bureaus of the commerce department had been impacted.
One important consideration still firmly within the realms of the unknown is how SolarWinds was compromised, to begin with. Several theories in this regard have emerged involving either a weakness in the company's cybersecurity posture or hackers managed to gain access to SolarWinds via one of its clients. Another unknown is the exact number of those impacted. No major corporations have admitted to being compromised other than FireEye and the two US government departments. Experts believe the number could be far more as once one victim was compromised by the malicious software update, malware could have spread to other organizations that share data.
For many who make up the guilty party is the primary concern. However, the dark underbelly of the Internet makes proving who was responsible beyond a shadow of a doubt incredibly difficult. That does not mean it is impossible but when attacks happen or are publicly disclosed the limited information available does not stop some from speculating. With that being said due to the sophistication and skill needed to carry an attack like the one detailed above does narrow down who can carry out the attack. In both the New York Times and Washington Post articles mentioned above the blame has been squarely laid at Russian state-sponsored hackers. Speaking to experts both articles stated that APT 29, also known as Cozy Bear, is behind the attack. It does fit the group's modus operandi and the group is known to be supported in its actions by the Russian Government.
If this proved to be fact, then it will show that the end of 2020 has been a busy year for Russian state-sponsored groups. APT28 has been accused of hacking the Norwegian parliament as well as security firms detecting significant changes in the group's tactics and how malware is distributed. Experts are further of the opinion that the attack was done for the purposes of cyberespionage rather than a financially motivated attack, typical of hackers not affiliated to a government but not always as North Korea has proven in the past. Russian officials have denied their involvement in the attack, but this is now standard practice for Russian officials who also denied involvement in the Norwegian parliament hack.
Much work still needs to be done to prove APT 29 was behind the incident. Given the US government issuing emergency orders regarding the incident evidence proving their involvement may come soon. For those tasked with defending networks, this may be of little comfort given the nature of the attack. Supply chain attacks are notoriously hard to defend against as they are a result of doing exactly what a third-party vendor requires, namely updating software to not only upgrade the product but prevent the software been exploited by hackers. With other attacks, often the user is required to download malware or hand over their login credentials, the tricks to do this are cunning and even the weariest can fall for them. Supply chain attacks only require someone to install the update provided by a trusted company.
FireEye has already published an analysis of the malware distributed via the compromised update. Researchers have called the malware Sunburst and can best be described as a backdoor trojan. The analysis goes into great depth and many of the more technical details are beyond the scope of this article. However, what is interesting is the malware personifies the patience of the attackers. Once the malware is executed it will remain dormant for two weeks, helping prevent the malware from being detected, before it will start issuing commands. Researchers noted,
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
Researchers have discovered several trojanised updates with the earliest dating back to March when the Orion update was first made available. Another interesting feature is the malware’s communication between the command-and-control server is designed to mimic SolarWinds API communication, yet another feature of the malware making detections harder and highlighting the campaign's espionage purpose. Researchers further noted,
“The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications.”
Experts have suggested several steps Orion users can take to help mitigate the attack or prevent further compromise via the same channels. They advise:
- Ensure that SolarWinds servers are isolated/contained until a further review and investigation are conducted. This should include blocking all Internet egress from SolarWinds servers.
- Restrict the scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
- Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers/infrastructure. Based on further review/investigation, additional remediation measures may be required.
- If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.