The cyber attack that took place against Solarwinds and the resulting compromises that took place should be a wake up call to all businesses that they need to look beyond traditional solutions for securing their data and make a move to solutions that can protect their data at all times, even if networks or endpoints are compromised.
Let’s take a high level look at what happened and why this isn’t just another run of the mill malware attack.
On December 8th, 2020 Fireye, one of the worlds largest Cybersecurity companies, reported the unauthorized access and exfiltration of their red team tools-the tools that their penetration testers and other offensive cyber operators use to break into and keep access to customers networks while emulating real adversaries. This is a big deal, as these tools are usually kept close to the vest and by giving a real adversary access to these tools, they can be modified to create novel and hard to detect attacks that can be used in the wild.
Fireye is also one of the leading incident response companies in the US and as such started an investigation on their own breach. 5 days later on December 13th it was announced that the breach they suffered was caused by a supply chain attack against a vendor that they, and many, many US Government and Fortune500 businesses use to manage their IT infrastructure called Solarwinds Orion. An adversary was able to infiltrate the Solarwinds Orion codebase and insert “malware” that allowed access to any system running Solarwinds Orion by the adversary.
How is it that one of the world's leading cybersecurity companies was not able to detect this rouge software running on their networks for months and months (early reports are that this code has been in place for seven months or even longer)? Let’s look at some traditional ways something like this would normally be detected and why they failed in this case.
Since Solarwinds Orion is deployed to manage network infrastructure at scale, firewalls would be configured to allow traffic to and from on-premise and cloud bases instances of Orion and it’s many modules across the enterprise network.
Furthermore-the adversaries utilized IP addresses for their command and control servers that originated from the same country as the victims, by utilizing Virtual Private Server instances or VPS’s. Firewalls configured to utilize geo-blocking would have failed in this case.
Even though this was a trojan, there were no antivirus programs that detected this as a virus. Solarwinds is a well known software company, and the programs are digitally “signed” by Solarwinds, so as far as the antivirus is concerned, this program was legitimate and allowed to run.
Since the piece of Solarwinds Orion that was compromised (SolarWinds.Orion.Core.BusinessLayer.dll) was digitally signed by Solarwinds, application whitelisting programs would let the program run, especially if it had been whitelisted before, which would have had to be done for any company that runs Orion.
Again, since Orion is a network management platform, and the binaries were digitally signed by Solarwinds, EDR platforms would allow it to run. In addition, Orion is mostly designed for servers, network and cloud management, places where EDR programs are not widely used.
These evasion techniques made it difficult for defenders to detect and stop the adversaries. To add even more variability to the attack, the trojan would not “activate” until two weeks after it’s installation, making detection and forensic efforts even more difficult.