Read on Twitter
Some observations on the SolarWinds supply chain attack, now that I'm all caught up!
Just a rundown of what I learned - citations included, all opinions my own
/1
Just a rundown of what I learned - citations included, all opinions my own
/1
(If you're looking for an overview of the situation, check out this 101: https://twitter.com/KimZetter/status/1338389130951061504, a more detailed article: https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ or the get all the deets in the original FireEye blog: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.) /2
Let's get names straight first - SUNBURST is the malware inserted via a supply chain attack in SolarWinds's Orion product.
https://www.solarwinds.com/securityadvisory /3
https://www.solarwinds.com/securityadvisory /3
FireEye observed some instances of SUNBURST deploying the dropper TEARDROP then a subsequent modified Cobalt Strike BEACON.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Microsoft calls the incident Solorigate. https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ /4
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Microsoft calls the incident Solorigate. https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ /4
A software supply chain is anything that goes into, or affects your code, from development, through your CI/CD pipeline, until it gets deployed into production. A supply chain compromise is when something you use is compromised. /5
It's not actually clear how SolarWinds was compromised. Their disclosure suggests it's their build system, and only affecting Orion products - but that's not clear if it's the system itself, or signing keys, or what. /6
"Our initial investigations point to an issue in the Orion software build system."
https://www.solarwinds.com/securityadvisory/faq /7
https://www.solarwinds.com/securityadvisory/faq /7
Since the update was signed, we know the compromise happened before the build system signs it. That being said, it doesn't look like SolarWinds had great security overall... https://twitter.com/vinodsparrow/status/1338431183588188160 /8
Former employees agree. https://twitter.com/KimZetter/status/1341113224037449730 /9
So we don't know exactly what it is. SolarWinds also shares, "We are not aware that the SolarWinds code base was compromised." https://www.solarwinds.com/securityadvisory/faq /10
For a great study of past supply chain attacks, see the Atlantic Council's report published earlier this year.
https://twitter.com/CyberStatecraft/status/1287781351748493319 /11
https://twitter.com/CyberStatecraft/status/1287781351748493319 /11
We don't necessarily have a good way, as an industry, to describe the supply chain compromise itself. We use names for malware, and we use CVEs for vulns, but we don't have words for... this. (Checks out, since naming is the hardest thing in computer science.) /12
To further confuse the situation, SolarWinds' disclosures all contain content on SUNBURST as well as SUPERNOVA, which is a potentially related (it's not known!) unsigned plugin in Orion.
https://twitter.com/ItsReallyNick/status/1339530685548290051 /13
https://twitter.com/ItsReallyNick/status/1339530685548290051 /13
FireEye, who discovered the campaign, says "The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security." I mean it sounds bad, but when FireEye says it's highly skilled, you know it's bad. /14
The FireEye blog post is really well written, laying out multiple steps that attackers took, and for each, how to detect those steps. They also provide free rules to help detect these.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html /15
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html /15
The malware called out to a central command & control server notifying it of its targets, allowing the attackers to pick which targets to attack. /16
"The attackers likely chose to prioritize their targets based on some calculation of risk versus reward." I'd love to see that spreadsheet.
https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ /17
https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ /17
When they went after a target, it was with "a light malware footprint", i.e. humans at keyboards. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html /18
FireEye and Microsoft recently released blog posts with more detail on the malware. If you're going to pick one, the Microsoft one is way easier to read and the state diagram is a bit prettier.
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ /19
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ /19
The malware has lots of evasion techniques, like similar host names, localized IPs, boring process names, etc. It checks if security or inspection tools like Wireshark or tcpdump are running before acting (and will try to disable them!). /20
I thought it was interesting that this was one of the last validation steps, not earlier. (Check out FireEye's awesome malware flow diagram!) https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html#g02-breadcrumbs:~:text=Malware%20Flow%20Diagram /21
The coolest part? It encodes the host information including attached Active Directory domains in a DNS lookup request, and the response tells the malware whether to activate. /22
"In this case, the malware uses the pointed-to domain from the CNAME response for HTTPS C2 communications."
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html /23
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html /23
A killswitch exists to stop the beaconing if attackers deem the domain not interesting - but the malware is still there, passive. That makes sense since removing a signed component would probably be *more* suspicious anyways. /24
(I didn't find any info on whether it could be reactivated, so assuming no.) /25
And this killswitch is also how Microsoft help mitigate this campaign, by the way - by taking over the domain name and returning DNS responses with the killswitch. /26
So what was the target? Credentials. Looking for access to AD and SAML token signing certs. /27
This is particularly scary because even if the malware is made inactive, if attackers already have credentials, they've stockpiled future access to many systems, including cloud infra. /28
(TIL about kerberoasting, which is when you steal Kerberos LDAP creds and try to crack them later.) /29
FireEye and SolarWinds didn't really initially disclose this, as far as I can tell - but CISA did. The supplemental update tells agencies not to use SAML-based auth and also not to patch(!). I guess they want to verify the patch, I don't blame them. /30
Only image, no patch. /31
The part that was really scary to me, is that this is the second (or later!) stage of an attack. Attackers compromised the build system in late 2019, but only planted malware in early 2020. This could have been discovered much earlier. /32
"We have determined that version 2019.4 with no hotfix of the Orion Platform released in October 2019 contained test modifications to the code base." https://www.solarwinds.com/securityadvisory/faq /33
Let's talk about the disclosure. It's clear that the SolarWinds disclosure was coordinated with the FireEye blog and the CISA emergency directive.
Reading these, a few things stand out - /34
Reading these, a few things stand out - /34
The CISA emergency directive is numbered 21-01. Looking only at prior directives, this suggests this was planned for publication in 2021. I suspect the FireEye breach played their hand sooner.
https://cyber.dhs.gov/ed/21-01/ /35
https://cyber.dhs.gov/ed/21-01/ /35
SolarWinds also filed an 8-K to disclose the issue, which is unusual but makes sense - they say that Orion is 45% of their revenue. https://investors.solarwinds.com/financials/sec-filings/sec-filings-details/default.aspx?FilingId=14559445 /36
This is an optional filing, and doesn't need to include security vulnerabilities or incidents. (I wonder if this'll change.) It can also be done at any time.
https://www.lexology.com/library/detail.aspx?g=6d074767-b813-4ab3-992c-0f68a4d2f094 /37
https://www.lexology.com/library/detail.aspx?g=6d074767-b813-4ab3-992c-0f68a4d2f094 /37
Again, I suspect they were partially pushed into this. FireEye filed an 8-K with their disclosure https://investors.fireeye.com/static-files/05bd98cf-59b0-4af1-89f2-89e5c8f783f8 and (a first?) also an 8-K for discovering the SolarWinds issue https://investors.fireeye.com/static-files/11159101-f0ea-4cff-afd5-64f624a28421. /38
Makes sense because it's related - but this is starting to set weird precedent with what I'd expect to find in 8-Ks. /39
The rushed filing also means the SolarWinds 8-K is a bit of a bungle.
https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf /40
https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf /40
(1) It mentions two hot fixes, "SolarWinds is also preparing a second hotfix update to
further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020". /41
further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020". /41
I assume this refers to SUPERNOVA and not SUNBURST. And if it's SUPERNOVA, then it seems to have been made available on December 23rd, late. This is the kind of info that would have been better in a blog post. /42
(2) In addition to information on the supply chain attack, it mentions a compromise of email servers. /43
"SolarWinds was made aware of an attack vector that was used to compromise the
Companyâs emails and may have provided access to other data contained in the Companyâs office productivity tools." /44
Companyâs emails and may have provided access to other data contained in the Companyâs office productivity tools." /44
It's not clear from any other sources I've seen if this is part of the build attack, running the same cred attack on SolarWinds's own AD and O365, or something else. Could just be phishing. /45
I guess this botching shouldn't be a surprise because the initial webpage where SolarWinds disclosed the issue also cited the "top five US accounting firms" as customers 
. It hasn't been the 'big five' in a while...
https://web.archive.org/web/20201213234819/https:/www.solarwinds.com/company/customers /46
. It hasn't been the 'big five' in a while...https://web.archive.org/web/20201213234819/https:/www.solarwinds.com/company/customers /46
What is well done in this filing, and their disclosures, is scoping affected customers, to the 18k current and prior customers, rather than the 33k initially reported. /47
The other thing SolarWinds did really well in their disclosure is having a comprehensive FAQ, including the question every reporter will ask, "If your environment was compromised, why is it safe for us to install these updates/trust your code?" https://www.solarwinds.com/securityadvisory/faq /48
The Microsoft reseller breach may or may not be related - it seems that attackers(?) are targeting data accessible with O365 creds, via the supply chain. It's not clear what the end goal is. Likely - access to official emails. /49
CrowdStrike notes, "As part of our secure IT architecture, CrowdStrike does not use Office 365 email." 
https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/ /50
https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/ /50
TIL that no agency(?) is responsible for proactively hunting for threats in the US government's networks. (Threat defense is covered, not threat hunting.)
https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html /51
https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html /51
The Defense Act that 45 just vetoed (over Section 230) would have made that the DHS' responsibility. https://www.congress.gov/bill/116th-congress/house-bill/6395/text#H04B7270984D94DB3AE693A0CBC71C892 /52
So what should you do?
For this attack - figure out if you're affected and follow the published advisories.
In general - we don't really know to solve this. Vendor risk assessments are starting to feel a bit performative, and ineffective. So do what I'm doing - worry.
/53
For this attack - figure out if you're affected and follow the published advisories.
In general - we don't really know to solve this. Vendor risk assessments are starting to feel a bit performative, and ineffective. So do what I'm doing - worry.
/53
