Co-founder and EVP of ColorTokens
In December, SolarWinds, a leading provider of IT monitoring and management solutions for enterprises, disclosed that it had fallen prey to a widespread supply chain attack trojanizing its Orion business software updates.
FireEye & CrowdStrike, who have been supporting SolarWinds in its investigation, reported that the attackers deployed a novel malicious tool, SUNSPOT (which hasn’t been attributed to any known adversary), into the build environment of Orion’s platform to inject a backdoor known as SUNBURST. As many as 17,000 customers may have installed the trojanized software updates. However, the attackers were only interested in a few hundreds of these customers who received secondary payloads, such as the post-exploitation tool named Teardrop. The initial list of victims not only included the U.S government but other consulting and technology firms in North America, Europe, Asia, and the Middle East, as shown in the chart below:
Now a few weeks past the first discovery of the attack, it’s critical to step back and analyze the phases and ramifications of such a highly evasive campaign.
Although FireEye uncovered the scope of this sophisticated supply chain attack in December, SolarWinds revealed that the malware SUNSPOT may have been inserted into its customers' update packages between March 2020 and June 2020. Since then, the highly skilled attackers have successfully managed to evade the standard forensic and antivirus methods used by SolarWinds, other private companies, and the federal government. The campaign that’s currently ongoing has the following timeline, connecting the dots between FireEye’s discovery of the attack and SolarWinds’ original hack:
Russian cybercriminals are suspected of using SolarWinds Orion software updates to install the SUNBURST backdoor on enterprise users’ IT systems and networks, causing a serious attack of unprecedented proportions. FireEye’s findings revealed that the backdoor communicates with third-party servers via HTTP, after an initial dormant period following deployment. Once the malware activates, it is able to gather data as it traverses compromised networks as legitimate lateral traffic without getting detected, and it even “stores reconnaissance results within legitimate plug-in configuration files.”
Hackers behind this widespread campaign use a variety of threat vectors to masquerade their footprints while they move laterally. Hence, if you are using the above mentioned SolarWinds Software, the below section will help you find some potential opportunities for detection:
General Detection and Protection Measures
As the campaign is currently ongoing, these are the precautionary measures recommended by SolarWinds to stay ahead of evolving attack vectors:
According to the latest "2020 State of the Software Supply Chain" report released by Sonatype, the so-called "next-generation" supply chain attacks have surged by 430% in the past year. As the adversaries are getting craftier and imposing an unprecedented level of risks, the world should look to specialized coverage indispensable to cybersecurity protection against evolving cyber-attacks.
FireEye’s analysis of SUNBURST revealed extensive use of lateral movement to propagate and infect other systems. Further, the lack of proactive process-based controls allowed further attacks on infected systems. As new threat information continues to emerge, companies should undertake the following mitigation strategies to defend against further risks from this and other sophisticated cyber attacks:
Applying security hygiene and east-west segmentation along with endpoint and server hardening can be effective techniques to reign in spiraling complex segments that promote unseen lateral movement. Such attacks depend on network complexity and lack of east-west controls to move laterally from system to system. Micro-segmentation that automatically prevents communication between systems that do not otherwise communicate significantly reduces the propagation possible via lateral movement.
Also published on: https://colortokens.com/wp-content/uploads/SolarWinds_Threat_Brief.pdf
Create your free account to unlock your custom reading experience.