The SolarWinds Supply Chain Attack: An Update of What We’ve Learned So Far

Blog

Blog

The SolarWinds Supply Chain Attack: An Update of What We’ve Learned So Far

David Bisson

hacker at computer

In mid-December, Zix | AppRiver shared some advice on how organizations could strengthen their digital defenses in the wake of the SolarWinds supply chain attack. The security community learned a lot about the attack in the couple of months that followed. Here are some important developments that helped to shape our understanding of what happened during that time.

 

Beyond SUNBURST

 

SUNBURST wasn’t the only malware that factored into the SolarWinds supply chain attack. Several other distinct digital threats factored into the infection flow:

 

  • TEARDROP and BEACON: FireEye found at least one SUNBRUST instance that delivered a previously unidentified memory-only dropper called “TEARDROP.” The attackers used the resource to execute a customized Cobalt Strike BEACON.
  • SUNSPOT: In mid-January, CrowdStrike learned that the SolarWinds supply chain attackers had used SUNSPOT to insert the SUNBURST backdoor into the software builds of SolarWinds’ Orion IT management platform. This malware came equipped with several safeguards to prevent the Orion safeguards from failing and to thereby prevent the attackers from learning of the adversaries’ presence.
  • RAINDROP: It was just a week later when Symantec uncovered RAINDROP, a loader which like TEARDROP delivered the Cobalt Strike payload. The resource was a bit different, however, in that it didn’t rely on the SUNBURST backdoor for distribution. Instead, it appeared on networks where attackers had already compromised at least one computer with SUNBURST.

 

Security researchers also spent a bit of time analyzing how these malicious assets interacted with one another. For instance, Microsoft discovered that the attackers had tried to separate their SUNBURST backdoor from the Cobalt Strike implant as much as possible in order to shield the former from discovery. This involved the creation of an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe. Upon execution, dllhost.exe triggered the process launch of wscript.exe, which ran a VBScript file. This resource then ran rundll32.exe to activate the Cobalt Strike payload.

 

An Expanded List of Victims

 

The list of organizations affected by the SolarWinds supply chain attack has grown. On December 31, 2020, for instance, Microsoft revealed that it, too, had fallen victim to the SolarWinds attackers. An internal investigation unearthed no evidence of access to production services or customer data. However, it did uncover the misuse of one internal account for the purpose of viewing source code within several source code repositories. The tech giant subsequently investigated and remediated those accounts.

 

Less than two weeks later, Bleeping Computer covered the emergence of a website called “SolarLeaks” that claimed to be selling information stolen in the SolarWinds attacks. The website offered Microsoft source code and repositories for $600,000, for instance. It also advertised data harvested from several of the security firms that disclosed they had fallen victim to the attacks, as noted by Infosecurity Magazine.

 

What’s interesting about those victims in particular is that a few of them weren’t running SolarWinds’ affected Orion platform. Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), told the Wall Street Journal that as many as 30% of the SolarWinds victims experienced intrusions through other means such as the exploitation of known bugs in other software products, password-guessing attacks and compromises that affected victims’ Microsoft 365/Azure environment. (CISA confirmed this last technique in an alert released in early January).

 

Reflecting on these findings, Microsoft Corporate VP of Security, Compliance and Identity Vasu Jakkal told ZDNet in an interview that SolarWinds would likely serve as a template for a new kind of digital attack going forward.

 

These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever.

 

CRN wrote in mid-January that cyber insurers were expected to spend an estimated $90 million on forensic services and digital threat response capabilities for their customers in response to the SolarWinds attack. It’s possible that the figure has increased since then.

 

The Fallout for SolarWinds Continues

 

News has continued to come out about SolarWinds and the initial Orion platform compromise. In the beginning of January, for instance, CRN wrote that a Jefferson County resident had filed the first class-action lawsuit against SolarWinds for the supply chain attack. The complaint alleged that the organization and its executives had failed to disclose a vulnerability in their Orion monitoring products. It also cited a security researcher’s finding that SolarWinds’ update server had used the weak password “solarwinds123” leading up to compromise.

 

It was around that same time when SolarWinds’ new CEO Sudhakar Ramakrishna published a blog post discussing a new initiative to help to make the company “secure by design.” To reach that goal, the organization would implement a credential reset, perform ongoing forensic analysis and re-sign all Orion products, Ramakrishna explained.

 

Investigators continued with their analysis of the attack in the meantime. On February 2, for instance, the Wall Street Journal reported they had found that the attackers had lurked inside of SolarWinds’ Office 365 email system for nine months. Ramakrishna wrote a day later that the organization had confirmed suspicious activity related to its O365 environment but that it had “not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365.” He went on to say that the attackers had compromised a SolarWinds email account.

 

A day after that, Microsoft published its own analysis in which it confirmed that its products had not served as an initial entry point for the SolarWinds attackers. The tech firm found that the threat actor had instead used other techniques such as password spraying and spearphishing.

 

SolarWinds’ security troubles didn’t end with the supply chain attack, either. On February 3, NBC News reported that a security firm had detected three “new” critical flaws that an attacker could have misused to compromise the networks of SolarWinds’ customers. The security firm told SolarWinds. In response, the company issued a patch and launched an investigation, an effort which ultimately found no evidence of misuse of those vulnerabilities.

 

The Response Phase Continues

 

As reported by Bank Info Security, President Biden and Department of Homeland Security (DHS) Secretary Alejandro Mayorkas stated that they intend to launch an investigation into the SolarWinds supply chain attack. The analysis will specifically look for gaps in the federal government’s digital security programs. It will also explore how the Administration can help to prevent a similar attack from affecting federal departments in the future.

 

It’s important that private organizations also work to defend themselves against this type of attack going forward. One of the ways they can do this is by investing in an email security tool that analyzes incoming messages for malware signatures, campaign patterns, IP addresses and other threat indicators. This solution should perform this level of analysis in real time while allowing legitimate correspondence to reach their intended destination.

 

Learn more about how Zix | AppRiver uses email threat protection to keep its customers safe from sophisticated attackers.

 

You can also find additional tips on how to stay safe in the aftermath of the SolarWinds supply chain attack by viewing my original blog post here.