Protect
February 5, 2021

The SolarWinds Sunburst Supply Chain Attack

An overview of the SolarWinds attack

It’s been over a month since a highly sophisticated threat actor was detected via the SolarWinds technology called Orion. In this blog, we will give an overview of the attack, the impact that it has had, and why the attack is still an ongoing investigation. 

What happened in the SolarWinds attack? 

On December 8th, FireEye detected an attack on its systems by a highly sophisticated threat actor. The attack is considered a “Supply Chain Attack” because malware was installed through a third-party vendor of FireEye. In this case, malware was installed in the latest update of SolarWinds Orion, an IT management and monitoring software. Malware was installed using a Remote Access Trojan (RAT) that appeared to be a legitimate software update. Unfortunately for many SolarWinds customers, the update was not legitimate. This trojan malware installation has become known as SUNBURST and was able to camouflage in with legitimate SolarWinds activity since the malware was able to access system files, and anti-virus tools were not able to detect the malware. Once the sunburst malware was installed, it would create a backdoor to the hackers to the systems and networks of the SolarWinds’ customers. Most endpoint detection tools have now released IOCs for SUNBURST.

Who did this impact? 

FireEye also discovered that they are not the only company that was targeted. Because SolarWinds is a large vendor to many organizations, a lot of companies and government agencies were put at risk. On December 13th, FireEye stated the cyberattack, now called Campaign UNC2452,” most likely began March 2020 and has been ongoing for months. Once the systems were compromised, the cyber attackers made lateral movements and stole data. 

SolarWinds ongoing remediation 

So how did attackers access the server in the first place? Unfortunately, we are still unaware of the extent of data stolen or compromised as the extent of the attack is still being discovered. Since the attack, SolarWinds has created a patch for the Orion software and has advised all customers to update the existing Orion platform immediately. The impacted version is SolarWinds Orion Networking Monitoring Product: Versions 2019.4 HF 5, 2020.2 or 2020.2 HF 1 released between March 2020 and June 2020. If an organization finds evidence of an attacker infiltrating the environment, they should conduct a comprehensive investigation and develop a remediation plan to get rid of attackers and mitigate risks. If an organization is unable to do the needed update, they should isolate the SolarWinds servers and block all Internet egress from the SolarWinds servers. At the bare minimum, it’s a good idea for all organizations that have access to the SolarWinds servers and infrastructure to change their account passwords and take a deeper look into Identity, Credential, and Access Management (ICAM) solutions. 

Because this was a third-party attack or supply chain attack, commercial and government organizations could also benefit from taking an additional look at their Third-Party Risk Management program and assessing areas of potentially high-risk.  

A case for open source? 

As more breaches occur, there has been an ongoing debate about implementing open source technologies to improve security. There are many benefits to a community-drive approach, such as lower costs and faster time to implementation.  In terms of security, using open source software allows for greater transparency. When more eyes can inspect the source code, any flaws are typically found and patch much more quickly. With that being said, open source code is still another part of your supply chain. Therefore, no matter what dependencies you have, whether they are open-source or proprietary, all code needs to have resources set aside to monitor and keep up with remediation. In the case of the SolarWinds breach, it is impossible to speculate whether or not the breach would have been found sooner if their code had been open sourced. We do know that FireEye released a new open source tool to help find any potential breaches in Microsoft Azure cloud environments. There are a lot of variables to consider when looking to adopt open source technologies for your organizations. However, the case for open source is compelling.  

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!