SolarWinds Orion Hack for Cyber Professionals: What Happened & How to Address Supply-Chain Attacks #UNC2452

In one of my recent articles, I shared the fact that losses from the cyber-attacks are at a staggering trillion-dollar today. Even more worrying is how the cyber-attack losses are trending. It is expected that in the next five years, the cyber-attack losses will surpass 10 trillion dollars annually or twice the size of the entire IT spending worldwide. Let me say that again. It is estimated that by 2025, the cyber-attack losses will surpass 10 trillion dollars per annum or twice the size of the entire IT spending worldwide.

In this article, I want to discuss the recent SolarWinds supply-chain attack, what it is, what it means for you as an IT professional, and the organization you work for. I have broken down the overall discussion into three areas, supply-chain attack overview, attack kill-chain i.e., attack delivery, execution, and data exfiltration stages, and how you can remedy the attack and what the future implications are.

Cyber-attack Primer

NOW, before we deep dive into this, let me offer you a quick primer on cyber-attacks. Let’s first start with the jargon. Indicators of compromise (IOCs) are pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network. IOCs help information security and IT professionals in detecting data breaches, malware infections, or other threats. Unlike IOCs used by legacy endpoint detection solutions, indicators of attack or IOA focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. IOCs are reactive indicators whereas IOAs are proactive and are based on the idea of the overall pattern of an attack or the kill-chain. So, what is the kill-chain? A cyber kill chain is a series of steps that trace the stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. An attack vector is a path or means by which a hacker can gain access to a network or a server to deliver a payload or malicious outcome. A threat attack surface is the total number of vulnerabilities an unauthorized user can potentially use to access and steal data.

Software Supply-Chain Attacks

NOW, let’s talk about the supply-chain attacks. Enhancements in security technology such as machine learning or artificial intelligence and global reputation systems like Cisco Talos have made it harder for unwanted, unknown, or malicious applications to give attackers a foothold in the environments they are targeting. So, the logical next step for them is to go upstream and target a legit and trusted application. To accomplish this, attackers are increasingly targeting software makers like SolarWinds. Once a supplier is compromised, the attackers can modify trusted products such as the SolarWinds Orion to perform malicious actions or provide a trojanized backdoor to the target environment. Unaware of these malicious changes to their applications, suppliers unwittingly deliver them to their trusting clients as legitimate software updates in this several US federal agencies and Fortune 500 companies. We saw a number of these appear in headlines last year and they are on the rise as indicated in this survey.

Cyber Kill-Chain

NOW, let’s go over the attack kill-chain. SolarWinds Orion, which by the way represents about half of the SolarWinds yearly revenues, was hacked where attackers added a trojan inside their software update dating back to as early as March this year. This coincides with the Coronavirus ramping up in the US and the stock market bottoming out. As the trojanized software, which FireEye calls Sunburst, made into the victim’s network, malicious code executed itself and it is the malicious DLL file known as the BusinessLayer.dll. FireEye calls it SunBurst whereas Microsoft calls it Solorigate. Attackers used TearDrop malware to deploy Cobalt Strike’s Beacon. Further analysis of the backdoored Orion installers matches what appears to be SolarWind’s normal build process. So, it is likely the attackers have compromised both the SolarWind source code, and their build process to deliver backdoored updates through their normal release process. My friends, this is horrifying.

Immediate Remediation Actions

NOW, let’s talk about the actions you can take. If you believe your systems are compromised, make sure that your servers are isolated or contained until you have the chance to review them. If you can’t isolate them, then restrict network connectivity to any other endpoints, restrict the scope of accounts that have local admin privileges. Go ahead and change your passwords on servers with SolarWinds access. If you were using Orion to manage your networking infra, then it is time to review your router and switch configurations for any unauthorized modifications. You can also look to cloud-based monitoring and performance solutions such as Cisco AppDynamics as opposed to an on-premises solution like Orion.

Future Cyber Security Implications

In terms of future implications, I think the only way to address these supply chain attacks is to re-architect software and ensure code integrity. In a typical Enterprise, there is plenty of zero-trust security around communication between users and servers and services but not much for machine to machine or service to service communication.

Hopefully, this attack leads to conversation on how we can create a zero-trust environment around each workload, virtualized or bare-metal. What’s your take? Please feel free to drop a comment.