Supersonic Supply Chain Attack // Introduction

Supersonic Supply Chain Attack // Introduction

// SolarWinds: Anatomy of a Supersonic Supply Chain Attack // Introduction The attack on SolarWinds and JetBrains has ushered software build environment to sign a poisoned in a new generation of software supply chain software update that was released to over 18,000 attacks. While supply chain attacks are not new, this SolarWinds customers around the globe. At this attack is already one of the most wide-reaching and time there is no direct evidence that the attackers sophisticated cyberattacks ever seen. used SolarWinds’ code signing materials to sign other malware or tools, but this remains a possibility. The attack required extremely high levels of Taking into consideration the adversaries’ level of sophistication, stealth and painstaking planning of sophistication, it is possible SolarWinds’ code signing every detail in order to avoid detection. It involves materials could have been stolen as part of the compromises of multiple companies, including many attack. If this is the case, these can used in future of the top U.S. software companies, which were then campaigns, or sold to other threat actors to poison used to gain backdoors to the customers of these future software updates. organizations. The ultimate targets were carefully selected, and the attacks targeting them were The adversaries continued to target machine carefully tailored using multiple tools and a range of identities in the post-exploitation phase to hide novel attack methods. in plain sight. Once they gained a foothold on the victims’ networks, they managed to compromise One common element used repeatedly throughout SAML code signing certificates that helped the entire attack lifecycle was the leverage of them forge SAML tokens, which allowed them to legitimate and trusted machine identities. These authenticate against targeted resources, whether critical security assets, which include code signing they were on premises or in the cloud. By leveraging keys and certificates used to sign code as well these tokens, the attackers were able to appear as SAML tokens, allowed attackers to maintain a legitimate to network detection tools and blend low profile, bypass security controls, pivot across in with normal traffic, allowing them to remain networks and gain trusted access to key assets. The undetected on networks for nearly a year. massive compromises resulting from the SolarWinds/ JetBrains attack would not have been possible without The scope of this attack is still unfolding, but it’s the successful use of forged or compromised machine already clear that the attack’s impact will send identities that allowed the adversaries to elevate shock waves through the software development privileges, access data and services and maintain a and cybersecurity industries. This attack clearly low profile for the entire attack lifecycle. illustrates that enterprisewide machine identity management is an essential security control that Using legitimate, trusted machine identities allowed cannot be neglected. the attackers who had gained access to SolarWinds’ 2 // Attack Summary On December 13, 2020, the first reports surfaced, In addition to getting a peak at the software source revealing the details of one of the most notable code of other prominent software companies supply chain attacks of the decade. Numerous such as Microsoft, the attackers also attempted organizations in the private and public sectors to infiltrate dozens of SolarWinds partners, like around the globe were hit by a well-planned attack CrowdStrike, using resellers’ access. using a sophisticated supply chain. The attack Once a victim’s network was infected, the leveraged compromised network monitoring and adversaries continued their quest for machine management software from SolarWinds® Orion®. identities. By targeting the SAML token-signing By successfully compromising the software build and certificate, they were able to forge SAML tokens code signing infrastructure, adversaries managed so they could impersonate highly privileged user to deliver backdoored updates to thousands of accounts, mostly of key IT and security personnel. SolarWinds customers. These compromised machine identities allowed Artifacts from the investigation confirmed that them to authenticate against any resources, while the source code of the Orion update was directly blending in with normal network traffic to avoid modified to include the SUNBURST backdoor, raising suspicion. which was digitally signed and delivered through The same adversary is also accused of compromising the company’s software release system. The TeamCity, a widely-used CI/CD tool by JetBrains, modification to the update was very lightweight, in order to use it as a pathway for the attack on making it easily overlooked. SUNBURST was SolarWinds Orion and other software companies. added to the update by another malware, dubbed Currently, there aren’t enough details about the SUNSPOT, that replaced one of the source code TeamCity compromise to determine exactly what files during the build process with another version happened or whether this assertion is true, but if containing the backdoor. JetBrains were, in fact, compromised, that would The fact that the update was digitally signed with a make it a holy grail of supply chain attacks. valid SolarWinds certificate enabled broad distribution Whether TeamCity was involved or not, the attack of the malicious code to; it also raised no flags on SolarWinds is worrying CIOs and CISOs of from security detection controls. As a result of the every organization. The adversaries invested compromise of this software update, the backdoor significant amounts of time and resources to infiltrated the networks of 18,000 SolarWinds ensure their malicious code was properly inserted customers—around 80% of the Fortune 500, including into the software build process, while remaining giant corporations like Microsoft, Cisco, Intel Nvidia, undetected by the SolarWinds developers. Belkin, FireEye and Deloitte—as well as numerous U.S. Demonstrating high levels of sophistication and government departments and agencies. patience, the attackers consistently prioritized The adversaries chose their victims carefully operational security. This made it possible for and tailored world-class capabilities to specific them to keep a low profile while causing massive victims. Although the backdoor was delivered to all breaches to companies all over the world. Without SolarWinds Orion customers, the adversaries clearly a doubt, this attack was the work of a nation-state cherry-picked the targets that were most beneficial APT (Advanced Persistent Threat) group believed to to them. They also leveraged their positions on be associated with the Russian state. compromised networks to expand to interconnected companies that were not SolarWinds customers. 3 While software supply chain attacks are not novel, like Microsoft, which previously had been out of reach the sophistication of this attack illustrates weakness to attackers, the ultimate victims. In many cases, the in our software supply chain that leave us vulnerable ultimate target of these attacks were two or three to similar attacks. The delivery of a backdoor that organizations removed from the initial compromise. is digitally signed by a globally known software Future attacks using these strategies and tools developer is extremely difficult to defend against. are inevitable. Securing the software supply chain, This style of attack enables the adversary to hide in including the code signing infrastructure as well all plain sight and gain access to a broad range of other other machine identities, must be part of the security systems, as well as the machine identities required to profile of every company that operates a service or access sensitive data and services. Software supply develops software. This is the only way to protect chain attacks have made high-profile organizations customers and maintain integrity and trust. including U.S. government agencies and tech giants // Attack Details SolarWinds The attack was so successful that the backdoor dubbed SUNBURST was inserted to the DLL in Researchers believe the attackers were preparing for versions 2019.4 HF 5 through 2020.2.1 and remained the attack for a long period of time, patiently waiting available on SolarWinds’ website even after the and testing their approaches. Analysis of the source disclosure of the attack. code of the specific component targeted,SolarWinds. Orion.Core.BusinessLayer.dll, shows that the adversaries While no public evidence has been presented yet were inserting empty classes in it as early as October that SolarWinds certificates were used to sign 2019 as a proof of concept. These efforts illustrate the other malware and tools, this option should not extent of planning and testing the attackers completed be excluded. All certificates and keys on the build before they included the poisoned payload into the systems should be revoked preemptively to avoid build process. In addition to other precautions, the further compromise. modification to the DLL was very lightweight and was designed to be easily overlooked; it used a similar class name, OrionImprovementBusinessLayer, to blend in with the rest of the code. Further analysis of the artifacts reveal that the malicious file ultimately built with the Orion software build system was compiled only once and was modified at the source code level. It is still unclear how the adversaries managed to compromise the build machine, but it is certain that the build infrastructure

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us