Solarwinds — Attack December 2020
Devastating attack on Solarwinds in 2020, resulted into largest breaches that occurred. When I asked people, they knew only the fact, that attack was a supply chain attack, which had exploit incorporated in updates. Let’s dig deeper and know few more things.
Let’s go through some terminology before we end up into summarizing things.
SolarWinds Inc : is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
Supply Chain Attack : A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. “a chain is no stronger than its weakest link”, consider chain to be the Security chain of an organization.
SolarWinds Orion: is an IT performance management and monitoring platform that helps businesses manage and optimize their IT infrastructure.
Which part of Supply Chain was targeted ? The updates scheduled by ORION , had the malware deployed in them. The updates were released from legitimate SolarWinds’ Server and were even digitally signed by a valid digital certificate bearing SolarWinds’ name.
This was a state-backed APT (Advanced Persistent Threat) which will remain on target for longer period of time. The certificate was not the one which was compromised, instead the TROJAN was actually deployed through SolarWinds own distribution channels and hence certificate was legitimate and belonged to SolarWinds itself.
- The attack was transmission of Trojan — The malware hiding as an update.
- Changes were made in source code, where updates were written.
- Malware called Sunspot watched the build server for build commands and silently replaced source code files inside the Orion app with files that loaded the Sunburst malware.
- The malware transferred was SUNBURST — A Trojan.
- SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.
- After the Trojan got installed on system, it started performing some JOBs, like writing files,transfer files, executing files,reboot the machine,disable system services etc.
- There was full visibility into the ORION update server.
- The FTP Credentials were exposed on Github, in the code available, which become source of attack for hackers.
- The password used for Update server was Solarwinds123, well what else can be said.
- Solarwinds asked the customers to disable their anti-virus for smooth update transfers.
- The TEARDROP was used to set up Cobalt Strike beacon in background.
Definitely in this case, updating the software is not the solution. Because Update was the exploit. Update from signed authorities is also not the solution as , update was already signed by Solarwinds server. You can not go for large code reviews, especially the one’s which are proprietary like Solarwinds. Thus what can you do is ???
a. Verify the builds before sending for updates.
b. Try to do a secure development and check for code in which changes are made, by some vulnerability scanning tool.
c. Harden the environment on which software build is published. Please don’t disclose your creds on github, please!!!!
d. Might be harder, but always keep antivirus on for detection.
If already under attack
The Incident Response Management Cycle should start asap.
- Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
If SolarWinds infrastructure is not isolated, consider taking the following steps:
- Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
- Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
- If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
If you want to get indepth details of how the malware worked, what functions it used and performed, also what MITRE ATT&CK mapping it has, you can visit Fireeye’s blog on solarwinds exploit.
Hopefully the summary helped in joining few points.