Detecting the SolarWinds Hack
The cybersecurity world has been overtaken with concern over a state-sponsored cyberattack perpetrated by Russian intelligence agents against multiple federal agencies, including those responsible for our nuclear stockpile. Prominent cybersecurity firms such as Microsoft and FireEye, who were also victims of the attack, were the first to identify it.
Their internal networks were accessed, undetected, since March of 2020, and the attackers accessed documents, stole penetration testing tools, and found their way into other systems. The attackers initially inserted a maliciously modified version of SolarWinds Orion, a tool used by many organizations, both private and public, to monitor large networks, into the SolarWinds update server as early as March of 2020.
Supply Chains are Easy Targets
As the recent investigation began, it was clear that this trojanized update, called SUNBURST, had spread widely, though it still is difficult to know if the back door the hackers created for this attack allowed further intrusions and infection. It is known that up to 18,000 customers of SolarWinds have been affected by the malware. More will certainly be found out in the coming weeks. The targets being high profile, high in number and the novelty of the supply chain attack vector are enough to fill the papers, but customers, clients and everyone in the ecosystem are left with many questions on what the lasting effects of this hack will be. It is being called the most significant cyberattack in our history.
Beyond learning quite a bit about how the attack on our federal agencies and companies via the SUNBURST malware was actually perpetrated, businesses and cybersecurity professionals are asking what lessons can be taken away. How will this change how we do things? What things should organizations and cybersecurity practitioners consider? Many companies, both those affected by the hack and those not (and it’s not 100% clear who is who at the moment) have released statements with some recommendations, such as onShore Security did for its clients.
In the very short term, care should be taken regarding these exact pieces of software. If SolarWinds software is being used in your organization, it’s recommended that it be shut down and not turned back on until SolarWinds publishes a third-party code audit that makes it clear that the vulnerability gaps are filled. Secondly, your organization should adopt the rules released to detect for SolarWinds’ vulnerability and use the signatures provided by FireEye to detect SUNBURST and the FireEye tools stolen in the attack.
Watching and Waiting
The nature of the attack, that of writing a backdoor into the software, and the unusually long dwell time, mean that it is simply impossible at this point to be able to clear anyone of risk and the possibility of other, secondary “infections” must be considered until dispelled.
Because of the long dwell time, lateral movement in the network is almost assured. This teaches us an important lesson in protection vs. detection. When protection and prevention fail, it can be impossible to know until it is far too late. In the case of this hack, the attackers had months inside networks, allowing lateral movement, secondary infection, and other malicious activity that may require deep forensic investigation to uncover and repair. Many of the organizations that have been affected are still trying to make up for lost time in their efforts to mitigate and prevent similar attacks.
We must also consider the software supply chain. Reliance on third-party suppliers of software is only increasing and our government has been even more willing to trust third parties, as it moves capability to the cloud and other forms of technology outsourcing. Some attention has been paid to hardware supplied by Chinese companies, but this event clearly shows that attackers don’t need to own pieces of the supply chain to infect it. Scrutiny needs to be applied where it can be and, in the case of software, that means code review.
Open Source Software Helps Mitigate Risk
Using open-source options where possible makes review easier because a wide array of parties can collaborate on the review. APIs need to be published and open. Our government can contract from suppliers but require that all components and licenses meet the required certifications. Famously, the Chinese government insisted that Microsoft provide source code to them for review as a prerequisite to doing business in China. That’s a tall order, but their fears weren’t unfounded. This year, it was revealed that a Swiss company supplying secure communications to many governments included a back door for our own CIA, demonstrating a need for some sort of cyber-arms treaty.
We also need to see greater collaboration with the detection process. SolarWinds had been instructing clients to exclude certain Orion binaries from anti-malware scanning because false positives were produced. This is likely at least one reason the attackers chose those binaries. There are reasons for exclusions but often it’s a way to avoid the harder task of collaborating with anti-malware and detection vendors to supply appropriate signatures for proper scanning. Microsoft, who were one of the victims, quickly revoked the digital certificate for the malicious binaries but clearly more care must be put into the signing and verification process as well.
Fortify Your Cybersecurity Stack
The unfortunate truth is that there exists a zone of uncertainty around this hack. It is easy to tell if you were targeted in any way, meaning you can tell if the attackers ever took notice of you. Beyond that, the extent of the attack on you in particular can be hard to suss out. There are some signature parts of the attack that can be searched for. For example, email systems were frequent targets. Also, instances of create, execute, delete commands can be evidence of the malware covering its own footsteps. These novel stealth tactics, designed to avoid detection and increase dwell time as much as possible, mean that forensic investigators have their work cut out for them, now put into the position of, essentially, proving a negative.
In the future, supply chain attacks will be part of any organization’s threat modeling and there will be policy in place to detect and even prevent similar attacks. If anything, however, this incident highlights the importance of detection in the cybersecurity stack, the need for greater scrutiny in the code or signing of software, using open source and open APIs where possible and the need to begin serious work on cyber diplomacy.