What happened at SolarWinds? – sunburst in action!

Home / News / What happened at SolarWinds? – sunburst in action!

The end of 2020 brought us the largest attack in history, the aim of which was to gain access to the infrastructure of many public and private organizations around the world. SolarWinds breach is here and to stay in literature forever. So… where did it start?


It officially started with a security breach by FireEye, the pioneers in threat intelligence. FireEye issued a statement in December in which], it clearly attributed to the attackers belonging to one of the Russian hacker groups, pointing to previously unknown attack tools.


The FBI was involved, and Fireeye’s customers (including most of the US government) were deeply concerned.


How it all started

It soon became apparent that the attack on Fireeye was only part of a much larger attack that was carried out through malicious updates to the popular SolarWinds network monitoring product and affected major government organizations and companies around the world.


 The incident highlights the serious impact that attacks on the software supply chain can have and the fact that most organizations are unprepared to detect such threats, let alone neutralize them.


Briefly:


  • Hackers hacked into SolarWinds’ infrastructure, a company that produces a network and application monitoring platform called Orion.


  • They then used this access to create and distribute Trojanized updates to software users.


Software updates for Orion versions 2019.4 HF 5 to 2020.2.1 that were released between March 2020 and June 2020 may have contained malicious components.


On its website, SolarWinds stated that among its customers were 425 of the Fortune 500, the ten largest US telecommunications companies, the five largest US accounting firms, all branches of the US armed forces, the Pentagon, the Department of State, as well as hundreds of universities and colleges around world.


Interestingly, Vinoth Kumar, a security researcher, told Reuters in 2019 that he warned the company that anyone could access the SolarWinds update server using the keyword “solarwinds123”.


What was the attack type?

The attackers managed to modify the Orion plugin called SolarWinds.Orion.Core. BusinessLayer.dll that is distributed as part of the Orion platform update. The component subjected to the Trojan is digitally signed and contains a backdoor that communicates with third party servers controlled by the attackers.


Here is a high-level description of the attack steps
  1. Installing the update containing SolarWinds.Orion.Core.BusinessLayer.dll
  2. 2-week sleep period – to confuse AV and EDR programs.
  3. The “awake” component downloads and executes commands called “Tasks” which include the ability to transfer files, execute files, profile the system, restart the computer, and disable system services.
  4. Malware masquerades as its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results in legitimate plug-in configuration files, allowing it to blend in with legal SolarWinds activity.
  5. Backdoor uses blocking list obfuscation to identify and neutralize forensic and anti-virus tools acting as processes, services, and drivers.



One of the best studies of the attack is the Vectra AI infographic – showing how important it is to have a good solution that recognizes potentially dangerous network behaviors:



FireEye tracks this component as SUNBURST and posted open source discovery rules for it on GitHub


The exact schedule of the incident is still being detailed, but Dr. Herb Lin from the American Center for International Security and Cooperation, on December 22, 2020, presented interesting conclusions.


We present them below


  • The scale and significance of this incident will only increase as more details of the breach are revealed. All the damage that occurred is unlikely to be revealed to the victims of the attack. Moreover, it is possible that undetected fragments of the attack are still going on, still gathering information that will be sent back to the enemy or planting “logic bombs” to be “detonated” in the future. While there is currently no evidence that this is the case, nothing has appeared in the public records that would exclude this.


  • The attackers had many months to delve into the information technology (IT) infrastructure of their targets. It will be really difficult, if not impossible, to completely eliminate attackers from accessing your network. Rebuilding entire IT systems from scratch may be the only thing that affected networks can do to ensure that attackers lose a foothold.


  • Victims trying to rebuild their systems from scratch will face painful choices between security and significant loss of operational efficiency – similar to the one that occurred between March 2020 (not to mention lost productivity from rebuilding systems instead of doing useful new jobs).


  • No provider of computer products or services can independently develop what they need. Even the most sophisticated IT product and service provider sources components such as a power supply or program library from third parties to integrate with their customer offering. The SolarWinds breach has been described as a “supply chain attack” which is true. However, gaps in supply chains have been a problem for cybersecurity professionals for many decades.



  • Most of the cybersecurity breaches reported so far have breached the confidentiality of the data – hackers acquire data they cannot access. But there are other data risks as well. Data breach, particularly when hackers alter or delete data, is a serious problem. A breach of integrity may be even more dangerous than a breach of confidentiality. In the case of electronic health records, most people would feel much worse about a cyber hack that removed a sign of allergy to a specific drug from the medical records than one that only revealed that allergy, even if these records are to be kept confidential.


  • Data is not the only component at risk – this can also apply to physical devices connected to IoT and computer control systems. Even smartphones and personal computers allow you to control physical devices such as printers and devices like Amazon Alexa. Almost any physical real-world functionality can be networked and controlled by a computer, and it is unlikely that anyone knows the full range and extent of cyber-physical capabilities that attackers can now control.


What is the most important security lesson you can learn from an attack on SolarWinds?

Our opinion is that we can never assume control over every aspect of “our” network and the resources working within it. SolarWinds shows us that suppliers must be treated as extensions of our network and subject to rigorous controls.


It is worth reading the article on the Zero Trust approach.


Information technology users must assume that their systems and networks have already been compromised and take appropriate precautions as if they were operating on compromised systems and networks. It will be inconvenient, reduce productivity and seem unnecessary, but it is the only way to limit the impact of a security breach.


Today, users want computer systems to be faster, easier to use and more interoperable. They want to control more things, meeting these requirements will increase the complexity of computer systems. However, cybersecurity experts know that greater system complexity inevitably leads to lower security levels, creates more ways to gain unauthorized access, and more vulnerabilities to exploit.


As a result, increasing consumer demands for functionality lead to more uncertain systems.


And where do you think is the limit when it comes to saying STOP productivity to ensure safety?



Related articles

Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.