SolarWinds coronal mass ejection cyberattack

No one saw Sunburst coming

On 8 December 2020, FireEye reported a breach and exfiltration of their Red Team tools. Ultimately, FireEye realized the breach had come via supply-chain attack carried out by the implantation of malicious code in the SolarWinds update server for the Orion Platform.

The attack on SolarWinds, dubbed Sunburst, loaded a Trojan into the SolarWinds software update. This malicious update infected SolarWinds Orion Platforms, thus compromising the networks of SolarWinds’ clients. The sophistication of the attack has led analysts to assert that the cyber event was most likely attributed to Russian nation-state threat actors.
On Friday, 18 December, Microsoft released a statement confirming that its network had been compromised by the malicious software updates from SolarWinds. FireEye and Microsoft were two of many companies affected by the attack. US-based organizations were targets of nearly 80% of the attacks, though organizations based in Belgium, Canada, Israel, Mexico, Spain, and the United Arab Emirates (UAE) were also affected. There are no reports of attacks within Russia.

In response to the US attacks, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to US government agencies directing them to immediately disconnect or power down SolarWinds Orion products. US government agencies believed to have been breached so far include the Treasury Department, the Justice Department, the Energy Department, and the National Nuclear Security Administration, among others. The full extent of the attack is unknown. It is highly probable that more victims will be discovered since damage from this breach is still being assessed and new tactics, techniques, and procedures (TTPs) could be discovered.

The Sunburst attack is unprecedented in both its scale and the profile of organization affected.

Impact

The impact from Sunburst may take many years to understand.

More than 17,000 of SolarWinds’ clients downloaded the infected software updates. With the attacks targeting industries such as technology, telecommunications, government agencies, and consulting firms, as well as oil and gas firms, the depth and breadth of repercussions from the breaches and exfiltration are unknown, prompting a need for innovating new ways to mitigate this type of persistent threat.

Recommendations

Attack techniques of cyber threat actors, particularly nation-state threat actors, are becoming more advanced. This particular attack helps emphasize that organizations must work with vendors to ensure that third-party risk is well-managed to mitigate the threat of cyberattacks. Ensuring organizations and their vendors have a security structure in place that is built with security as a core component can help achieve an overall cyber security program which is resilient, withstands attacks, or at least minimizes damage and keeps recovery costs to a minimum.

At this time, FireEye’s Red Team tools have not yet been seen in the wild. Customers with compromised SolarWinds Orion platforms will most likely fall into one of the following three categories:

1. Customers which have not identified the infected file solarwinds.orion.core.businesslayer.dll, and who must patch their systems before resuming operations.
2. Customers which have identified the infected file and have determined whether it has beaconed to the command-and-control (C2) avsvmcloud[.]com, or not. These customers must conduct extensive monitoring of their network, searching for any anomalies, harden their devices, re-install updated software, and resume operations only after no other anomalies have been found.
3. Customers which have identified the infected file, have confirmed it is communicating with avsvmcloud[.]com and that it is communicating with a secondary C2 must assume that their network has been compromised. CISA recommends a complete rebuild of the system if the breach compromised administrative credentials, or if Security Assertion Markup Language (SAML) abuse has been identified. If communication with avsvmcloud[.]com abruptly ceased prior to December 14, 2020, through no action of the cyber security team, assume that the network has been compromised and immediately institute the company’s incident response plan.

The SolarWinds breach has left organizations in the difficult position of attempting to defend against future Sunburst-like attacks. Sunburst masqueraded as a legitimate file and was uploaded from a trusted source. Perhaps the most effective way to defend against this type of Trojan is to have a depth of defense, creating layers of defense, segmenting which software controls which computers. However, this layered and segmented approach to cyber defense would increase cyber security costs.

Organizations must consider that more threat actors are likely to mimic the success of the Sunburst attack. Some companies might choose to mitigate potential SolarWinds type attacks by limiting or eliminating use of third-party software. This might reduce software purchasing costs but could increase the company’s cost in building their own software solutions.

In sum, there is yet to be a surefire prevention or response unique to the SolarWinds’ Sunburst attack. Each organization must assess its current cyber security posture and determine its most efficient, cost effective means of attaining overall cyber resiliency should another SolarWinds type attack occur. For detailed information on best practices regarding cyber incident investigation and mitigation, please see the Joint Alert on Technical Approaches to Uncovering and Remediating Malicious Activity.

References

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Technical Approaches to Uncovering and Remediating Malicious Activity

18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack

Securing organizations against the SolarWinds cybersecurity threat