On December 13th, 2020 news had broken that SolarWinds, had fallen victim to a cybersecurity campaign by a foreign state actor.

They published their own security advisory, and the US Government’s Cybersecurity Infrastructure and Security Agency (CISA) also published their own emergency directive regarding the Orion product from SolarWinds.

Here’s a quick summary of what we know so far:

1. SolarWinds is claiming a little less than 18,000 of it’s customers could have been affected
2. Victims also included FireEye, US Department of the Treasury, US Department of State, US Department of Energy, and others
3. It is believed that the hack was orchestrated by the Russian government (specifically the APT group Cozy Bear), but Moscow denies any involvement

To say this is a major attack is putting it mildly. Naturally a lot of companies are worried about this attack and are starting to wonder, who else in our supply chain should we be wary of?

Take a deep breath

Before diving in further into what this attack means to everyday businesses, let me just point out that this is was what a nation state attack looks like. Businesses face malicious attackers every day on the Internet, and some of them fall victim to ransomware, viruses, or other issues. Often times we hear that the attacker were sophisticated and there wasn’t anything the target companies could have done. Now we have another true example of what a nation state attack looks like. Advanced Persistent Threats (APTs), or nation states, have (for all intents and purposes) an unlimited budget - they can literally do whatever they want and take their time in doing whatever they need to do to reach their goals. They can take their time, they can wait patiently, and they can employ some of the best hackers on the planet to do their job.

However they are not going to target just any organization - they will have a specific set of targets in mind. Undoubtedly the targets for this particular attack was the US government, likely because of the change in administration. The other victims that were caught up were likely victims of opportunity rather than first-class targets. FireEye was targeted, for example, but that may be more of a personal vendetta for the attackers if only because they likely clash with the security company more often than not.

With that out of the way, I want to remind everyone that the Russian government, or nearly any other APT group, is not likely after you specifically. It is far more likely that a criminal group is going to be targeting you instead.

Rethinking the Supply Chain

There’s a lot of discussion on various forums (Twitter, Reddit, Slack, Discord, etc.) about “beefing up” the supply chain defence, i.e. revisiting vendors and paying more attention to who gets access to your data and/or systems. While this is a fantastic idea, it’s not exactly prudent since more often than not you are missing the forrest for the trees.

Most organizations I work with have no clear inventory of their assets. They may have a handle on their laptops, some cloud servers they’ve deployed, but not necessarily all the “shadow IT” that goes on behind closed doors. This entire pandemic and people moving to a work from home model has also thrown a wrench in the works for this discovery as well, with company assets sitting on networks with everything from the family computer to all types of IoT devices. Basic things like ensuring you have an asset inventory, anti-malware solutions, and even multi-factor authentication for email can get overlooked when we get news uf a major hack like the one that affected SolarWinds.

Ask the right questions

I feel really bad for SolarWinds since this is absolutely a nightmare scenario for them. People are going to blame them for the hack, but the truth is that it was just a matter of time. As I mentioned, APTs have nearly unlimited time and budget to pull of these hacks, and once they have an objective in mind there is very little anyone can do to stop them. Since it is highly unlikely that we will get a public version of the root cause analysis of what exactly happened to SolarWinds, we can only speculate given the information provided in their Form 8-K filing to the US Securities and Exchange Commission (SEC).

In the filing, Solar Winds explicitly states:

SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.

So essentially it doesn’t seem that the source code repository itself was compromised, but it was likely their build system itself. This could mean a few different things:

1. A compromised account for a developer, engineer, DevOps person, etc.
2. A compromised service account used as part of the build system.
3. A set of weak controls around the build system resulting in a successful compromise from a brute force attack.
4. A rogue dependency that was custom-made for SolarWinds resulting in the compromise.
5. Something else entirely.

I won’t speculate any further as it really doesn’t help, but if I were to threat model the build pipeline, those would be some areas of concern I would consider.

The questions I would be asking is how was the system protected? There’s a few reports of an FTP server that SolarWinds controlled having a password of solarwinds123. Again this comes from an old research report from 2019, and doesn’t explain how the exploit was properly signed by SolarWinds' build system. Again, the question I would be asking is what protections did SolarWinds have around their build system?

What often gets overlooked is the basic security hygiene that should be in place to help prevent these types of attacks in the first place. Things like maintaining an asset inventory, limiting access to critical systems, a proper patch management strategy, making use of password managers, enabling multi-factor authentication, and even end-user awareness training are things that too many organizations overlook. I don’t know what SolarWinds security posture looks like, but those would be some of the questions I would be asking if I were a shareholder or customer.

Stop, Think, and then Act

In cases like these it is very easy to fall into a “sky is falling” train of thought and look to stop further attacks like this from happening in the future. Unfortunately the focus is often on the wrong thing. SolarWinds is not the first vendor who has been used as an attack vendor. CCleaner was hit in 2017, MeDoc was used to spreat NotPetya in 2017, and back in 2015, Juniper Network was also hacked. Supply chain attacks like these are likely inevitable, but they are not that common and generally are used as a means to an end.

I think every organization, regardless of their size, should have some type of vendor screening process before they bring in a solution, application, vendor, etc., that gets access to sensitive information That doesn’t mean that’s the only solution that’s required. In fact, I would even argue that the scope for this level of screening can be limited to sensitive data adn systems only, so that you can actually get your business moving as opposed to gatekeeping everything. But if you’re so focused on who you’re brining in the front door, you may be completely ignoring what’s lurking at the back of the closet that you haven’t checked in the past 3 years…

– John

At EliteSec, we can help you build, plan, and execute a security program that makes sense for your organization. From vCISO services, to vulnerability assessments, threat modeling, and penetration testing, EliteSec can help secure your organization. Contact us today for more information.