The SolarWinds Hack and The Arrival of Software Supply Chain Attacks

Request a quote
18 Dec, 2020

The SolarWinds Hack and The Arrival of Software Supply Chain Attacks

As the breach at network management software firm SolarWinds is still unfolding, the company has revealed in a December 14th filing with the U.S. Securities and Exchange Commission (SEC) that it may have resulted in malicious code being pushed to nearly 18,000 customers.

Figure: Supply Chain Attacks
Figure: Supply Chain Attacks

SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates for its Orion platform, a suite of products widely used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks.

The incident highlights the impact that software supply chain attacks can have as well as the fact that most organizations are highly unprepared to detect and prevent such attacks.

How It Happened

The breach was disclosed by SolarWinds five days after cybersecurity incident response firm FireEye announced it had suffered an intrusion. According to FireEye’s blog post, hackers gained access to numerous public and private organizations through updates to SolarWinds’ Orion software containing a trojanized component.

Alarmingly, it seems that the attack may have been the culmination of a long campaign that is believed to have started as early as March 2020 and remained undetected until now.

The Impact

SolarWinds on its website stated that its customers included 425 of the US Fortune 500, the top five US accounting firms, all US Military branches, the Pentagon, the State Department, the top ten US telecommunications companies, besides hundreds of universities and colleges worldwide.

The extent of the attack, which is still being determined, and the nature of the victims indicate the possible involvement of state actors.

While no specific group has claimed responsibility for the attack, it is being attributed to a Russian group known as APT29 in media reports. The group in the past has hacked for traditional espionage purposes; group members have stolen industrial secrets, hacked foreign ministries, and more recently have attempted to steal coronavirus vaccine research. Given the widespread impact and long list of high-profile victims, this latest attack easily constitutes one of the most impactful cybersecurity incidents of 2020.

A Highly Sophisticated Attack

The hackers involved employed highly sophisticated methods, including various techniques to disguise their footprint while moving laterally to adjacent systems after gaining an initial foothold on their targets. In keeping with this, they also seem to maintain a light malware footprint, instead preferring legitimate credentials and remote access into environments belonging to authorised users, making their actions difficult to distinguish from legitimate activity. The hackers also used IP addresses located in the victim’s country to circumvent detection by systems designed to detect suspicious incoming traffic from international IP address ranges.

The software build for SolarWind’s Orion software versions 2019.4 HF 5 through to 2020.2 HF 1, released between March 20th, and June 20th of this year, might have contained a trojanized component.
The component compromised by the hackers, a plugin for the Orion platform called SolarWinds.Orion.Core.BusinessLayer.dll, was pushed to victims via a software update. The component was digitally signed and appeared legitimate but contained a backdoor that connects back to a command and control (C&C) server controlled by the attackers.

After remaining dormant for up to two weeks, the malware retrieves and executes commands from the C&C server, capable of stealing files, uploading and executing other malware, profiling or rebooting the infected system, or disabling running system services. Traffic to and from the C&C server hides from intrusion detection measures by disguising itself within Orion’s own networking protocol and using legitimate Orion configuration files as storage. The backdoor is also capable of detecting installed software countermeasures such as antivirus software.

Once the backdoor is installed on a victim’s system, it is then used to implant a malware “dropper” (a program capable of loading additional malware onto the system) that loads and executes directly in memory, leaving no traces on disk. Attackers also used temporary file replacement techniques to disguise the remote execution of their tools, thereby avoiding detection.

What Lies Ahead

Software supply-chain attacks are not new and are, in fact, difficult to prevent as they take advantage of trust between vendors and customers as well as machine-to-machine communication channels. Software update mechanisms are thereby inherently trusted by users.

Security researchers at Kaspersky Lab in 2017 uncovered an attack by an APT group dubbed Winnti. The attack involved breaking into the infrastructure of NetSarang, a company that makes server management software, allowing them to distribute trojanized versions of the product that were signed with the company’s legitimate digital certificate. That same group later breached the development infrastructure of Avast subsidiary CCleaner and distributed trojanized versions of the program to over 2.2 million users. Last year, attackers hijacked the update infrastructure of computer manufacturer ASUSTeK Computer and distributed malicious versions of the ASUS Live Update Utility to users.

As organizations embrace technology to drive growth, they struggle to detect and prevent such attacks despite investing millions of dollars in cyber-defense. As the cyberattacks keep growing both in terms of volume and sophistication, there is no one way to get your defenses right; however, it is imperative that they are tested more frequently, if not continuously.

As BreachLock Founder and CEO Seemant Sehgal underscored in a recent televised interview that “The problem with cybersecurity is not that we are not investing enough, it is in fact that we are not testing enough to see that the defences are actually working.”

 

References