SolarWinds Attack

Javid Chizari

7/27/20222 min read

Employed Techniques

The SolarWinds attack was a software supply chain hack executed against American software company SolarWinds, which develops and maintains network monitoring tools used by major corporations and government agencies.

The state-sponsored attack exploited the SolarWinds Orion Platform by embedding backdoor code into a legitimate SolarWinds library and wad spread via an automatic software update (Trojanization). The attacker gained remote access (RAT) into over 18,000 victim’s environments and a foothold in the network, which was used by the attacker to attain privileged credentials. FireEye named it “Sunburst backdoor.”

The attacker used various defense avoidance techniques such as masquerading, code signing, obfuscated files or information, indicator removal on the host, and virtualization/sandbox evasion. Many MITRE ATT&CK tactics, such as lateral movement, command and control, and data exfiltration, were believed to be used.

Mitigations recommended by the NSA

The NSA provides guidance for a practical evaluation methodology to assess how to improve Operational Technology (OT) and control system cybersecurity, recommending several steps that organizations can take to increase OT security, such as:

  • Protecting all access vectors by encryption

  • Logging all access attempts from vendors or any outsourced OT support, remote connections, and internal access

  • Disconnecting all remote access connections unless an active monitoring procedure is implemented

  • Creating an OT network map and device settings baseline

  • Identifying and validating all equipment and devices on the network

  • Assessing and prioritizing OT network cybersecurity requirements and employing network hardening strategies

Detection strategies recommended by NSA

Attackers are abusing trust in “on-premises” federated identity providers or single sign-on (SSO) to gain access to resources, including resources in “off-premises” cloud services. These systems often use cryptographically signed automated messages called “assertions” shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can disrupt authentication mechanisms, they can gain illegal access to a wide range of an organization’s assets.

The security of identity federation in any cloud environment depends on “trust in the on-premises components,” which perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, the trust in the federated identity system can be abused for unauthorized access. Therefore, taking these steps seems to be essential:

  • Securing SSO configuration and monitoring service usage

  • Hardening the system

  • Monitoring the use of SSO tokens and examining the logs for suspicious tokens

  • Audit the creation and use of principal service credentials

  • Using Azure AD as the Authoritative Identity Provider to benefit from more protection offered by the cloud provider