In case you’ve been living under an IT news rock, thousands of the world’s largest enterprises and government agencies may have been compromised by cyberattackers in a supply chain attack involving SolarWinds Orion network monitoring software. By planting malware in a SolarWinds software update sometime between March and June 2020, perpetrators were able to infiltrate the networks and systems of high-profile organizations. Let’s take stock of the current situation and see what cybersecurity lessons we can draw from the debacle.
Before we go any further, we’d like to reassure everyone that Invicti does not use SolarWinds and is not in any way affected by the incident. The update process for our own products is also secured according to industry best practices to ensure that software updates provided to our customers have not been tampered with.
The Story So Far
The first indication that 2020 was not going to end quietly for cybersecurity came last week when security company FireEye disclosed that highly advanced cyberattackers, most likely state-backed, had stolen penetration testing tools it uses for its red teaming services. At the time, the attack vector was unknown (or undisclosed).
On December 13th, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive advising that SolarWinds Orion network monitoring products had been compromised and were being actively exploited by malicious actors. The same day, FireEye published a detailed technical analysis of the backdoor involved.
In a securities filing on December 14th, SolarWinds estimated that some 18,000 of its 300,000 customers may have installed the compromised software. Considering that SolarWinds customers include most of the Fortune 500, all the US telcos and military branches, numerous US and UK government agencies, and even the Office of the President of the United States, this is very, very serious.
How The Attack Works
Attackers modified installation files for SolarWinds Orion updates by adding an advanced backdoor (dubbed Sunburst by FireEye) and planted the modified files on the SolarWinds update server. Once installed with the update, the malware waits 2 weeks and then stealthily contacts a command and control server, awaiting instructions. Because Orion operates at the system and network level, the malware can get extensive access to the file system and network communications while also covering its tracks to avoid detection.
The tampered updates were slipped into SolarWinds systems between March and June. No official information about the insertion vector is available, but several unofficial reports suggest multiple cases of lax security, such as exposing FTP login credentials in a public code repository, using weak passwords, and sending credentials by email. Regardless of the initial vector, the malicious update files have valid digital signatures, which suggests a much deeper infiltration of the SolarWinds infrastructure. We will update this article if more information about the root cause becomes available.
The Response and Consequences
CISA has advised all SolarWinds customers who installed one of the malicious updates to assume that their systems have been compromised and act accordingly. Beyond immediately patching Orion to a secure version and cleaning out systems, this may mean going through 6 months’ worth of system and network logs looking for signs of suspicious activity – not a fun prospect for Christmas.
Everything indicates that the attack was a massive (and massively successful) intelligence-gathering operation, so fingers are being unanimously pointed at state-sponsored actors, notably the Russian hacking group APT29 (aka Cozy Bear). Since the start of the Covid-19 pandemic, attackers may have been able to access the confidential data of many government institutions and some of the world’s biggest corporations. While this, fortunately, had no direct operational impact (just imagine ransomware getting installed on that kind of scale), it does mean that a great many secrets might no longer be secret.
While the sheer scale and audacity of the attack is breathtaking, security experts agree there is no need to panic. Because the backdoor was so stealthy, actually accessing a specific system was a relatively high-effort manual operation, so it is likely that many if not most of the compromised installations were not actively targeted.
3 Essential Lessons For Cybersecurity
Even though the story is likely to play out for many more weeks if not months, there are at least 3 crucial observations that we can make here and now:
- Supply chain attacks are on the rise: Indirect attacks via the software supply chain are becoming a major trend in cybersecurity and this incident has finally brought them into the spotlight. No matter how good your own security, vulnerable third-party products can provide attackers with a foothold.
- Attackers only need one gap: While we still don’t know for sure how the malicious updates were planted, something as trivial as a weak password could have been enough. This is the Defender’s Dilemma in operation – the attacker only needs one weak spot while the defender has to secure everything.
- Cyberattacks can remain undetected for months: Especially with data breaches, cyberattacks are often perceived as exciting hit-and-run affairs. In reality, attackers can often avoid detection for months if not years, which this global surveillance effort has clearly demonstrated.
Web Application Supply Chain Security
The SolarWinds hack did not involve exploiting web application vulnerabilities (as far as we know), but it could easily have done. After all, the attackers simply gained upload access to a file server and this could also be accomplished via, say, a vulnerable web admin panel. All aspects of cybersecurity are connected and related, so weak points can be exploited in many ways.
However, the vital takeaway for web application security is that you have to check not just your own code but also any and all third-party products, plugins, and libraries. A modern framework-based web application can contain as much as 80% external code. A quality dynamic application security testing (DAST) tool is vital to find and eliminate vulnerabilities in the entire application, not just your own code.