The Sunburst Effect: The erosion of trust in the digital supply chain

By Anthony Eich on February 5, 2021

Executive Summary

The recent, wide-spread, cyber-attack that was a result of an infected software update from Texas based technology company SolarWinds— also known as the Sunburst hack— has had major impact that is being felt by a large number of private and government organizations. The malware was propagated through SolarWinds’s monitoring and management software, Orion. The malicious actors accessed the source code of the software and disseminated their malware through the inclusion of a malicious dynamic link library (dll) file through updates that were pushed out to clients digitally. Of 300,000 customers SolarWinds, about 18,000 of them were infected with the malware. The list of users includes businesses, universities, state and local governments, and most notably major components of the U.S. Government [1]. The attackers were stealthy and patient and after a period of monitoring the data on infected networks, they focused on exploiting only specific systems that had high value targets. FireEye, a prominent cybersecurity company headed by Kevin Mandia, was the first to discover the hack and announce it publicly [2]. This exploitation of the digital software supply chain and the authentication process used to send information across the networks has caused concern for many companies that do business this way, and whether they can trust the current methods of delivery.

Background

The malware used in the Sunburst attack was spread through legitimate supply-chain channels. The victim systems were infected through a trusted source, which is probably the most damaging fact about this hack. By accessing the source of a third-party software that is widely used by many companies of all sizes, scope and sector, the attackers were able to infiltrate an alarming number of systems and remain unnoticed for an extended period of time [3]. This allowed the attackers to observe the networks that they infiltrated, and only when they discovered information that was useful would they then “wake up” and execute the exploits that had been imbedded, sending valuable information to their remote command and control (C2) servers. The first organization to alert the public to the presence of this attack was FireEye, a top security firm. They first discovered the malware when some of their “Red Team” penetration testing toolkits were exfiltrated by the hackers [4]. This not only released these powerful tools into the hands of those who can now use them to propagate additional exploits, but this act also erodes the confidence that the community has in those organizations that are explicitly built to defend against this type of action.

Impact

Another alarm that was set off by this event was the ability by the threat actors to use the Security Assertion Markup Language (SAML) token authentication process to maintain access to the infected systems for an extended period of time. The malicious actors exploited a weakness found in the victim systems’ Active Directory Federation Services (ADFS) which allowed the attackers to bypass authentication by first stealing an authentication key used for validation. This vulnerability, discovered in 2017, has been dubbed the “Golden SAML”, alluding to the nearly unlimited access that the attackers can gain, so long as the purloined private key associated with the ADFS is still valid [5]. Now that the world stage has displayed this vulnerability, the trust normally given to the current authentication processes such as SAML tokens has been called into question. This means that new and better methods of authentication probably should be put into place, but on such a large scale it may take some time to shore up these defenses.

Significance

The initial response to any cyber threat is to isolate and contain the threat. Sunburst presented a challenge to contain because of its widespread propagation. Some of the companies that had been infected have been working to help stop the bleeding, such as industry giants Microsoft, Intel and GoDaddy. Microsoft has said that as of now there is no evidence that their own systems have been used to further transmit the attack, but the extent of how far this supply chain hack was able to reach is still an ongoing investigation. While the C2 server for the system was identified, and a so-called “kill switch” was discovered that could ostensibly end the attack and contain any current or future data leaks, it remains to be seen if the SolarWinds Orion vulnerability is the only vector that the attackers executed. It is very likely that this is only one prong of multi-pronged attack. If the attackers were able to infiltrate SolarWinds, it is also possible that other sources within the supply chain could be vulnerable as well. It is also likely that the attackers responsible for Sunburst were not the only threat actors that infiltrated SolarWinds, according to further investigations by Microsoft [6]. Now the questions remain if we will see further attacks like Sunburst, and how the security community will prepare for such an event if this should happen again.

Sources

Coop, Alex. 2020. FireEye discloses data breach and theft of hacking tools. 12 8. Accessed 1 29, 2021. https://www.itworldcanada.com/article/fireeye-discloses-data-breach-and-theft-of-hacking-tools/439364.

Davis, Mia Jankowicz and Charles. 2020. These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia. 12 14. Accessed 1 31, 2021. businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12?op=1.

Ferguson, Scott. 2020. President Trump Downplays Impact of SolarWinds Breach. 12 19. Accessed 2 1, 2021. https://www.databreachtoday.com/president-trump-downplays-impact-solarwinds-breach-a-15636#additionalmalware.

Schwartz, Mathew J. 2020. FireEye: SolarWinds Hack ‘Genuinely Impacted’ 50 Victims. 12 21. Accessed 2 1, 2021. https://www.databreachtoday.com/fireeye-solarwinds-hack-genuinely-impacted-50-victims-a-15637.

Solomon, Howard. 2020. FireEye’s network testing tools were stolen – now what? 12 11. Accessed 1 30, 2021. https://www.itworldcanada.com/article/fireeyes-network-testing-tools-were-stolen-now-what/439520.