The Bedel Security Blog

SolarWinds:  What do we know so far?

Written by Stephanie Goetz | Jan 8, 2021

Unless you had a really secluded and long holiday vacation, you’ve probably heard about the SolarWinds breach and how it has affected many US industries including financial institutions and their supply chains. Chances are even if your institution does not use it some of your vendors use it and were impacted.

Last week, we posted an article covering some of the immediate and longer term steps to improve your resiliency from this and any future supply chain attacks. To follow up on this story, here’s a breakdown of what we understand this unprecedented attack entailed, in a possibly over-simplified nutshell. Details continue to be discovered and shared so please keep in mind this is a point in time assessment.

  1. The SolarWinds software updates were compromised sometime prior to March 2020 and the attacker added malicious code (malware) called SUNBURST to legitimate software updates. This malicious code went undetected because the software was trusted, meaning it and updates were listed to be exempted to anti-virus software and some security policies in order to function. The malware delayed activity by counting 12-14 days to let the dust settle after installation. After this time, the malicious code made several checks for common detection mechanisms before proceeding with its tactics. If the conditions were not ideal, it would stop and retry it’s checks at a random later time.

  2. When the time and conditions were right, the malware ran to establish a ‘backdoor’ to communicate with the attacker’s systems. At every step of the way, the malware ran under legitimate jobs or processes and employing evasive tactics, such as disguising itself as an established user, in order to escape detection. If a condition was met that could out the malware, it would stop and wait a random period of time and start over.

  3. The malware then tested the previously created backdoor by ‘phoning home’ to the attacker with information about the network it had compromised. The attacker would then determine if the victim’s site bears interest. If not, in some cases it would keep the malware installed, but not move to the next step or activate a kill switch to shut down the malicious operation. If interested, then it would move to the next step, which has been referred to as TEARDROP. This step was to send the information of interest to the attacker.

  4. Upon the discovery of this compromise, security experts issued alerts and advisories to help businesses and government agencies identify the compromises and respond. In addition, security experts at FireEye, GoDaddy, Microsoft and others commandeered one of the sites used by the attackers and used it to stop the attack on unsuspecting victims. They fear this may not have fully stopped the attacks, however, it may have taken some of the leverage out of the attacker’s hands.

  5. Details continue to come to light as we learn more about the attack. This includes a suspected vulnerability in another software company, VMWare, that may have allowed attackers to gain access to existing user accounts, including privileged users.

If you need more information, we recommend the sources below and as well as the alerts updates such as those offered by the CISA at https://www.cisa.gov/supply-chain-compromise. We are continuing to monitor the developments of this compromise and capture the lessons it has to offer. If you need help or want to improve your security program for 2021, we would love to help! Contact us as support@bedelsecurity.com.

Sources:

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html

https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/

 

Additional Resources:

Mitigating Supply Chain Attacks
https://www.bedelsecurity.com/blog/mitigating-supply-chain-attacks 

The Scare of Miscellaneous Errors
https://www.bedelsecurity.com/blog/the-scare-of-miscellaneous-errors 

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

The Most Underrated Control in Information Security 
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security 

IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified