Cyber-Attack Briefing: The SolarWinds Compromise is a Wake-up Call

Fitting for a tumultuous year, 2020 is coming to an end with a notable event in cyberspace: a massive cyber-attack.

What began as a nation-state hack of a leading IT cybersecurity firm, FireEye, has since unfolded into a massive cyber-attack hitting various parts of the U.S. government and private sector industries. And many believe this is just the tip of the iceberg as more is discovered and revealed about the SolarWinds supply chain attack.

Let there be no mistake; SolarWinds and its customers are victims of this attack. But the current climate of almost unlimited cyber warfare is the true root problem here. And should serve as a wake-up call across digital and physical realms.

Defining the SolarWinds Cyber-attack: A Supply Chain APT

“a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.”

But before getting into the details of the SolarWinds Orion attack, a contextual review illuminates the nature and extent of this massive hack.

TechTarget defines an advanced persistent threat (APT) as “a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.”

APT attacks usually require significant effort and resources and are, therefore, typically carried out by a nation-state or state-sponsored organization. Thus, APT groups are generally named and numbered, with the number being sequential based on the order of discovery and the name hinting at the country of origin. For example, “bear” denotes Russian-originating APT groups where “dragon” indicates a Chinese origination.

Nation-state-backed groups, possessing significant monetary and technical resources, may maintain a presence on a compromised network for years before using it for malice. In 2018, “an extended period” equated to a mean time of 71 days in the Americas, 177 days in Europe, the Middle East, and Africa (EMEA), and 204 days in the Asia-Pacific (APAC).

Lastly, the “supply chain” in software includes developer workstations, third-party software libraries, compilers, code repositories, quality assurance environments, distribution servers, and all the networks connecting them, just as the “supply chain” extends from the factory floor to warehouses and distribution centers for physical goods.

In the case of this attack, early attribution links the attack to APT29, also known as CozyBear, a Russian-based cyber-attack. But it is still early, and there are rarely definitive answers in attribution.

Digging into a Nation-state Cyber-attack

While information on the attack continues to emerge, the Mission Secure team of cybersecurity experts, ethical hackers, and control systems veterans reviewed and compiled the following credible details on the SolarWinds Orion attack.

The Carrier

The SolarWinds Orion product was successfully compromised from versions 2019.4 through 2020.2.1, released between March and June 2020. The compromised Orion product contained a strain of malware named SUNBURST (also known as Solorigate). While these updates required manual installation, they were available for long enough that many regulatory frameworks would force their installation.

The Compromise

The updates were signed by SolarWinds’ code signing key, suggesting either:
• a compromise of the signing key, or
• the compromised content was added prior to signing and went undetected.

Most researchers point to a compromised code signing key as a part of this event. Many development organizations automate these types of processes, leaving keys online as a part of that automation. That information can then be used by adversaries to attack signing certificates and further back in the software supply chain.

The Reach

SolarWinds filed an 8K with the U.S. Securities and Exchange Commission (SEC), stating they’d notified all Orion customers with active maintenance contracts (approximately 33,0000 organizations) of the breach. SolarWinds estimates less than 18,000 customers were affected.

Note: It is also clear from the SEC filing that SolarWinds suffered an email compromise through Microsoft Office 365. Business Email Compromise (BEC) continues to be a significant attack vector for both APT and criminal groups. In 2019, the FBI-issued Public Service Announcement stated BEC cost victims $26 billion.

The Malware

The attackers added malicious code into a SolarWinds library named SolarWinds.Orion.Core.BusinessLayer.dll in three versions of the Orion Platform software: 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 hotfix 1. During the installation of the SolarWinds application or update, the tampered DLL file was loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe and installed as a Windows service.

Mission Secure researchers, in collaboration with security researchers in other leading companies, have analyzed the install files and media for Solarwinds-Orion-Hotfix-2020.2.1, one of the compromised versions approved for production. This version of the software has hundreds of hours of security analysis.

Note: Customers should wipe old systems and do a fresh installation after changing any Security Identifiers (SIDs) on infected systems and changing all passwords on network gear and the servers that the software was originally loaded on.

After analyzing infected virtual machine (VM) OVA images, the instances that were breached had Indicators of Compromise (IoC), including the DLL file that is now flagged in most databases. In some cases, the DLL was removed on proven exploited machines.

The Targets

It appears the first wave targeted more than one hundred companies. The second wave, which subsequently lead to the attack identification, focused on smaller companies and medium to large enterprises.

Note: The first wave of compromises occurred in June 2020.

The malware and payloads of the exploit are equipped with sandbox evasion and remain dormant for up to two weeks before invoking remote payloads. The command and control (C2) communication is all web-based, using back channels of other compromised companies to appear as legitimate traffic. Typically, such waiting periods are designed to avoid detection during testing phases.

The Detection

The breach was initially discovered by SolarWinds’ customer, FireEye, who quickly reported the issue through appropriate channels. FireEye also went public with their breach details and tools to detect both their own stolen assessment tools and the compromised SolarWinds products. The breached U.S. government entities – some of whom advocate transparency in company security breaches – have been much less forthcoming.

The SolarWinds Compromise: A Wake-up Call

Following the discovery of the SolarWinds cyber-attack, the U.S. Department of Homeland Security took the unprecedented step of ordering all agencies under its purview to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.”

In addition to the BEC compromise, the FTP credentials for at least one SolarWinds account has been subsequently discovered on the internet. And at least one discoverer admits to successfully uploading content using these credentials. Mission Secure researchers see the attack chain with email as the initiator or the FTP credentials – both credible attack vectors. Based on the information currently available, an FTP attack vector should have reasonably been found and neutralized through corporate security programs, processes, and procedures. An email attack vector, however, is clearly more difficult to manage and requires significant resources, especially in these current remote work times.

While notable from various perspectives, the current cyber-attack reminds one of the 2016 TeamViewer attack – which potentially compromised all of their customers and was attributed to APT41. And as such, the world will continue to see large-scale APT cyber-attacks targeting high-value infrastructure organizations. Why? Because the return on investment for these adversaries is enormously high.

More importantly, these successful cyber-attacks continue to demonstrate the fragility and insecurity of today’s digital world. Once inside the perimeter firewall in a network often lacking fine-grained access control and micro-segmentation, point security solutions are simply insufficient for protecting an organization’s most critical assets from today’s cyber adversaries and threats. Cybersecurity needs to be a top priority, and organizations need to step up their game. Adversaries aren’t waiting, and they’re clearly working on theirs.