First FireEye, then SUNBURST, and after that, SUPERNOVA. Here's why the SUNBURST incident is more alarming than the FireEye’s hack.
A security company that got hack is like a doctor who got sick. While everyone is talking about the FireEye incident, “SUNBURST" (or “Solargate”) is more dangerous, which is a cyberattack that required patience, skills, and new thinking. And in all that, it created a wound that we previously overlooked.
After discovering the SUNBURST malware, SUPERNOVA was revealed by security researchers as another backdoor found in SolarWinds software. This malware is a web shell that allowed attackers to run arbitrary code on machines running the software's trojanized version.
It is already on the news but mostly for technical people. I want to make a more friendly explanation to understand why it is alarming and, more importantly, how to prepare for the next attack.
First, they are related.
SUNBURST (and SUPERNOVA) is an advanced malware that compromised the Orion® Platform of SolarWinds, an IT monitoring software company, according to a blog post released 13 Dec 2020 FireEye.
Wait, why FireEye was the one who released the information, not SolarWinds?
In short, you can think of Solarwinds as the “upstream” of the attacks, while FireEye is one of the “downstream.” When FireEye Inc., a well-known cybersecurity company, discovered that they were hacked this month, their investigators immediately try to figure out how attackers got past their defenses.
It is believed that the discovery is by accident. The investigator realized that it wasn’t just FireEye who got attacked but also discovered a vulnerability in a product made by one of its software providers, SolarWinds Corp.
Technical Background (Simple Version)
According to deep-dive reports published last week by multiple security companies:
- FireEye
- Palo Alto Networks
- Fortinet
- Microsoft
- McAfee
- Symantec
- Kaspersky
- US Cybersecurity and Infrastructure Security Agency (CISA);
On infected systems, hackers compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of “SolarWinds.Orion.Core.BusinessLayer.dll.”
These booby-trapped updates embed the SUNBURST malware. Hiding in legitimate software via official update channels was then downloaded by over 18,000 computers.
Infected machines would collect information about the infected company’s network, then wait 12 to 14 days, and then send it to a remote command and control server (C&C).
SUNBURST would execute the following steps when infected for validation:
- Machine domain name validation.
- It checks the domain name of the compromised machine to ensure:
- It doesn’t contain certain strings.
- It is not a SolarWinds domain.
- It doesn’t contain the string ‘test’. - It validates that no analysis tools, such as WireShark, are running.
- It also checks to ensure that unwanted security software is not running.
As you can see, SUNBURST is malware with intelligence to check if it could successfully bypass security measures. If all of the validations are completed, it calls “home” to the attacker and sends information to identify the breached organization.
There are victims across different sectors, such as cybersecurity firms such as FireEye and local governments, schools, hospitals, banks, and telecom companies. And the worst part is, the list is still growing.
Like VMware and Microsoft, big tech companies also confirmed installing the trojanized updates on their internal networks. Fortunately, they also specified that they did not find any evidence of escalation from the attackers.
From the quality of the threat design, the range of techniques used, and its victims’ nature, this was a nation-state scale attack for sure. The malware was thoroughly crafted and secretly embedded in upstream suppliers’ legitimate software to finally hack the high-value assets downstream.
Implications
I read reports after reports. These are, from a security design perspective, beautiful attacks. It requires dedications of years of studying of the targets (probably with someone working with/from inside), with patience to find a way to bypass the monitoring of security analysts and skills to hide the code from the developers.
Conceivably the most alerting character of the SUNBURST attack was how it propagated itself by installing itself as part of SolarWinds’ regular distribution and update operation. This is the perfect storm much more influential by today's security policy's automation and fast patching practices.
The problem of trust again, but in a different thinking
Knowing what companies are the SUNBURST victims won’t help explain the extent of the damage done. As the scale of attacks are so extensive and involves too many heterogeneous IT infrastructures from various supply-chains. It does, however, highlight the fundamental problem of trust.
Supply-chain attacks rely on trust between suppliers and customers. There is no defense customers can implement against a compromised vendor or supply-chain that transfers legitimate code or services that are, in fact, jeopardized.
Regular measures, such as checksums and hashes, only work if the reference (upstream) isn’t ravaged. If you consider signed code, it is solely a special case of that concept of a chain of trust (signing is built on trust). Though, open-source software is more resilient in its community's proportion and interest but still not immune to such attacks.
The Mitigations
You and your colleagues are probably preparing for the holiday, security professionals should know that this will not be the last one, and hackers will not take Annual leaves.
What is more important is to learn from it and prepare not to be the next Solarwinds or FireEye. To achieve that, it is a good time for me to re-introduce the Security Mindset when talking about mitigation.
Integrating Security Mindset with PPT Framework
Reintroduction of The 3 Pillars of Security Conceptmedium.comTechnology Pillar
Reintroduction of The 3 Pillars of Security Conceptmedium.comTechnology Pillar
FireEye released countermeasures on Github that can identify the SUNBURST malware last week, including the Indicators of Compromise (IOCs) and MITRE ATT&CK Techniques. Security Vendors are catching up, and most of them had already released counter-measures for SUNBURST.
In the statement from FireEye, with collaboration with GoDaddy and Microsoft, released information about a killswitch:
As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.
This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.
To detect malware as such, we may need a dynamic analysis tool like sandboxing in dedicated isolation. But hackers also know about it and developed malware with sandbox-aware validations. It then becomes a cat-and-mouse game between offense and defense.
The first and second stages of impacts could be reduced soon with the joined efforts from the communities. Yet, relying on tools and advanced technology is only effective DURING the incident.
While I am in line with most security vendors, we need to develop more innovative PDC solutions (Prevent — Detect — -Correct); But “Adapt” cannot be put out of the picture. Adaptation helps us respond better next time.
In Technology Pillar, as this time, software defects are already presented, the fixes can only be applied to the last attack. How to adapt to a more approving response to the next war is more valuable. That’s why we should shift our focus to the other two pillars.
Process Pillar
Hackers would try to get access to your company using the already established highways. Vendors and Partners become the possible targets and as a new way to penetrate. Attacks related to the supply-chain rose 38% since the start of the pandemic, reported by Bitdefender (A Security Vendor).
Trust between vendors should not be taken for granted. This, in fact, is a wake-up call for security professionals to see what is missing in the past truly. All update processes from vendors should be reviewed, and consider monitoring is in place.
Automation and patching were originally incorporated in the best practice of security operations; efficiency becomes the weapon. Therefore, implementing the concept of “Zero-Trust” into security designs become necessary.
Palo Alto Networks presented it clearly:
The Zero Trust model recognizes that trust is a vulnerability. Once on the network, users — including threat actors and malicious insiders — are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location.
Segmentation from a production network with the development for testing updates and patches should become the norm. Implementing change control in update channels for live files to maintain a higher resilience against external sources.
While keeping a tap on the trusted processes is resource-demanding, no one will underestimate the importance of that after the SUNBURST. With careful selection of data collection points by focusing on trust, building a tracking system could not be as resource-hungry as traditional log collection methodology.
It is worth considering to reach out to the company’s ecosystem to reassess key partners’ risk. It is as essential as internal procedures to ensure both internal and partners are still meeting all compliance requirements.
People Pillar
The hackers understand well the IT infrastructures of enterprises and the psychology of developers and operators. As mentioned in Technology Pillar, the SUNBURST malware was splendidly obfuscated, fastidious in its use of steganography and diversion layers.
It is why it can bypass layers of security defense in SolarWinds, from hiding from developers' code review to not triggering alerts in behavior analysis of the security operation team.
As a result, SUNBURST will produce another round in the arms race between hackers and cybersecurity researchers. No one is immune does not mean we are hopeless. It just likes what we are how we handle the COVID-19.
Giving you a pill to cure Covid may not help you prevent the variants, as the virus is mutating. To prevent infections are still the best way to minimize the impact. We thus introduce the concepts of social distancing, frequent hand-washing.
We keep washing our hands over the fear of the deadly viral pandemic yet fail to do basic things to our cyber self like security updates and use strong passwords. Regarding cybersecurity, what we need is a new way of thinking and the introduction of “Cyber-Hygiene.
Cyber-Hygiene
Bringing up the awareness of the importance of cyber hygiene goes a long way. Until you get the security basics right, all the fancy and most advanced technology in the world cannot protect us from cyber-attacks.
This fundamentals-first strategy is no surprise to experienced security professionals. Keeping the attack vector at minimal, continuing education, full visibility to the system, and patching and updating… these are all the basics.
Meanwhile, we relied heavily on advanced threat detection tools, AI-assisted SOC indicating the usefulness of those techniques, but do not help remove the cybersecurity risks.
To put it in simple terms, good Cybersecurity hygiene should be the real “Silver Bullet” that can dramatically reduce the risk of the weakness link in the picture (the people pillar).
Final words
SolarWinds Orion infected software updates are only the most current examples of software supply chain attacks. Before that, there were attacks such as NotPetya and Havex.
Adversaries and ransomware groups will not wait too long in mounting their own software supply-chain attacks as they have many vendor targets to choose from.
Absolutely we need to reconsider the growth of automated, continual distribution and patch practices that bring up security issues in the dynamic and conflicting cybersecurity environment. We need to rethink the balance between friction-less continuous deployment and layered security with verification in mind.
Not just in how to fight this war, but in designing for resilience. How to model the chain of trust and verification processes with a security mindset, from internal to the vendor and in the complete supply chain.
To cheer you up at the end of this story, we all know that we have had to adapt and grow to overcome the new security problems at every stage in our evolution with self-correction capabilities.
The best aspect of SUNBURST, or the latest SUPERNOVA incidents, which will become old news like the others over time, is a highly evolved real tragedy of substantial impact.
As a cybersecurity professional, on the side of good guys, we have to evolve ourselves by learning from this cyber-attack campaign, which is well-planned with years of effort; we must devote similar resources to our defenses.
Thank you for reading — Happy reading and preparing well not to be the next Solarwinds.
To know more about SUNBURST, please refer to the official statement and CISA Alert (AA20–352A).