As most organizations are still reeling under pressures inflicted by the ongoing pandemic, the last thing that one wanted to be gifted with as parting gift of 2020 was a massive cyber attack just as we were crawling into year 2021.
But, the recent Sunburst supply chain attack caused by third party Network Management Software ( ‘Orion’) from SolarWinds has not only compromised high profile US agencies such as Treasury Department, Department of Commerce and others but, possibly, as many as 18,000 organizations – who form part of SolarWinds customer base worldwide. It is not that supply chain attacks have not been on the radar of security professionals, but, this level of depth was hitherto unseen or reported. The supply chain attack is a type of an attack where the adversaries compromise a third party tool to gain access to its customers often with the malicious intent of exfiltrating data for gains. In this case, the adversaries compromised the SolarWinds’ Orion software build and code signing infrastructure, modified the source code to include malicious backdoor code, which was compiled, signed and delivered through the existing software patch release management system. Multiple SolarWinds Orion software updates, released between March and June 2020, have been found to contain this backdoor code which facilitated the adversaries to conduct surveillance and execute arbitrary commands on the affected systems.
FireEye detected it on December 13, 2020 and during their investigation, it was discovered that SolarWinds.Orion.Core.BusinessLayer.dll – a digitally signed component of the Orion software framework that contained a backdoor that communicates via HTTP to third party servers. This DLL component was included in the trojanized update file which is a standard Windows installer patch file. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe. After a dormant period of two to three weeks , the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control(C2) domain. The C2 traffic to the malicious domains is designed to look like normal SolarWinds API communications. The malware uses a Domain Generation Algorithm (DGA) to vary the subdomains with which it communicates. By changing the subdomain each time the malware sends traffic it will be harder to identify the traffic in network logs. The malware will detect if it is communicating with any private domain (such as Sandbox environments), and will not activate. It will become active only when it connects to a Public domain. It will also detect if any anti-virus tools or Forensic tools are running on the system.
The big question that arises here is how could the attackers insert malicious code into the supply chain software? Attackers may have compromised the deployment servers, source control systems, or developer machines to obtain access and insert the rogue code into the system software. It is quite likely attackers may have leveraged the malware at many points along the way as code moves through the software development lifecycle.
Once the malware had access to SolarWinds, the attackers leveraged Azure Active Directory to obtain additional credential and permissions. According to Microsoft, they used administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate and they forged SAML tokens that impersonate any of the organization’s existing users and accounts. The update was digitally signed bearing the SolarWinds name which shows that attackers had access to Privileged Accounts in SolarWinds.
So far three strains of malware has been detected and named as – Sunburst, Teardrop and Sunspot. The investigation is still going on and SolarWinds are not yet clear about their compromised infrastructure and how this attack was carried out. As of now, no one has reported data theft or any loss from the attack. Many are linking this attack to Russian hackers’ group and terming it as a state sponsored attack – this point is for the investigative and law enforcement agencies to figure out. From the investigation it is clear that it was planned over a very long period time and an advanced group of hackers were involved in this attack designing a smart Advanced Persistent Threat (APT) which was very difficult to detect.
Organizations often lag behind when it comes to investing cybersecurity incidents and many a time lack the wherewithal to put up a good fight. Attacks like these could jeopardize operations and could cost substantial sums to an organization. Advanced Persistent Threats are increasing day-by-day and organizations require advanced security solutions to detect them. In recent years Cybersecurity has evolved dramatically to include several solutions and one such advanced solution which is aiding early detection of malicious activities is deception technology. It is built with attacker’s mindset in mind, not defenders. This does not depend on the signatures, black/whitelists, behavior analysis or reputation of threat detection. Mature solutions have the ability to entrap intruders by various deception techniques and can integrate with other solutions pre existing within the organization to provide larger visibility of activities.
Acalvio Shadowplex, we represent, is adjudged as the #1 technology in deception in the industry as a result of seminal inventions and advancements they have made in technology. Acalvio, although probably the last to enter the deception solution space, has more than 25 issued patents and as many as 15 more are filed and pending to be issued by the authorities, presently. Shadowplex carries a comprehensive and rich deception palette which is an essential part of this solution. When implemented in an organization, APTs such as Sunburst is bound to interact with decoys; as such malicious/suspicious activities such as lateral movement, data exfiltration etc., could be spotted easily and alerted so as to enable security professionals take corrective action or better still, integrated with larger SIEM/SOC environments for remediation. Essentially, an alert from a deception threat defense platform is a TRUE POSITIVE and should have the immediate attention of the investigating team. Acalvio Shadowplex has been implemented in some of the largest of organizations across the world and at multiple sites in the META region, too. Deployments could be on-premise or cloud based and it has the ability to provide accurate, timely and cost-effective detection and unparalleled scalability at an excellent TCO.
