A consortium of industry vendors including Microsoft and Google have actively been working to circumvent the ability of SUNBURST to successfully activate and attack. Microsoft was able to gain possession and control over a key domain - avsvmcloud[.]com - which the SUNBURST attack binaries use to get Command and Control (C&C) information. Without this C&C connectivity, the SUNBURST system remains in an inactive state if it has not yet become active within an environment. ZDNet has been covering this aspect of the ongoing investigations.
It should be noted that if the SUNBURST system had already activated, the extent of what it can do after it loses connectivity to the C&C domain is still being investigated. This means that Orion customers who were already infected by SUNBURST may still find the software active within their environment, and should consider the Orion install compromised until definitive proof that it is not can be acquired and confirmed. That being said, if the software has not yet been put into an "active" state by the C&C platform, it appears to remain inert and re-attempt connectivity on a periodic schedule. Since the C&C domain (and any servers SUNBURST would communicate with via that domain) are now under the control of Microsoft, Google, and others; this means any SUNBURST deployment that has not yet gone active will remain inactive indefinitely.
Customers running the Orion platform are still cautioned that it is - at this moment - not possible to definitively say if any given Orion instance has an activated SUNBURST infection. Security researchers are continuing to determine which Orion installations have been activated, which have downloaded infected patches, and other details. To date, a list of about 100 customers' Orion installs are confirmed to have communicated with the C&C servers, but the discovery project is still ongoing. Contact SolarWinds and/or Microsoft to find out if your install is on the "known activated" list. Activated installs of SUNBURST may remain active even though the C&C servers are now controlled, as the threat actors may have used the system access SUNBURST provided them to install additional communication methods that don't rely on the now controlled C&C systems. We hope to have more information in the coming days and weeks to help with identifying infected instances, and the Cymulate platform will be updated with any new techniques and methodologies used by SUNBURST as soon as the forensic examinations yield new info on how the attack works, spreads, and acts.
On Monday morning, the world woke up to some rather earth-shattering news. Many US Government agencies - including many that are concerned with National Security - were successfully attacked by a nation-state actor. Coming on the heels of an attack against a major cybersecurity equipment and software vendor, this news immediately set of alarm bells throughout the world; as if security agencies and companies could be attacked, what is to stop anyone else from becoming a victim? The attack is fairly complex, and details are still not entirely known as of the date of this writing (December 14, 2020); leading to a great deal of fear and uncertainty in the greater technology world, and even more confusion over what happened. What we do know is that SolarWinds fell victim to a highly sophisticated attack that left their customers vulnerable to further threat activity. Let's take a look at the situation at a high level to describe what it is that these news stories and disclosures are telling us.
First, what is SolarWinds? SolarWinds (SW) is a software company that has been around for quite a while. Founded in 1999, SW produces software platforms that manage other components of enterprise technology - from monitoring networks to managing support tickets. In this case, the attack revolves around a specific SW platform - Orion. This platform is used to centralize monitoring of multiple technology areas so that administrators and management can have updated information about performance, issues, and planning data for future growth. The Orion platform ingests and correlates massive amounts of data from various areas of company technology sets, and therefore can see a tremendous amount of information about a company, their technology, and their data. Because of this, access to the Orion platform within any given company is tightly controlled, with only a few senior administrators having access to the data that is collected and reviewed.
The attack occurred when SolarWinds networks were compromised by an outside threat actor. As of this writing, the method used seems to have been the takeover of a particular identity certificate (a digital file which is the result of highly complex mathematical functions that allows one system to identify itself to another system, or one user to identify themselves digitally to one or more systems). This certificate was then used to forge other identity and access components and allow the attackers to gain access to some systems within SW's infrastructure. In addition to any others the attackers may have compromised (investigation is still ongoing), one of the systems that suffered incursion was the platform used to stage and ship software updates to customers of the Orion platform. The attackers inserted their own code into one or more updates, which were then distributed to all users of Orion when they performed regular software updates/patching on the Orion system in their own environments.
This form of attack is often referred to as a "Supply-Chain Attack" since it doesn't directly attack the various organizations such as US Government Agencies and security vendors; but rather attacks one or more platforms used by those organization to gain access to them indirectly. Because it can be visualized as poisoning a common "well" of data or software, it is sometimes referred to as a "Watering Hole" attack. Read more on a watering hole attack in our blog here. No matter the term used, the result was that thousands of companies that use Orion had unknowingly downloaded threat actor code when they performed their software updates, leaving them exposed to further attack at a later date.
This attack code, called SUNBURST by security researchers, notified the threat actors that it had been installed each time a company performed their Orion updates; allowing these attackers to know which companies had been compromised. SUNBURST also installed additional code which permitted the threat actors to remotely access the Orion system at any time, while still hiding itself to avoid being detected by monitoring and control software outside of Orion as best it could. Because SUNBURST impacted a monitoring and control platform (Orion), and because Orion saw so much of the infected organizations' data and system information, the amount of intelligence this gave the attackers was enormous and made it nearly impossible to detect the compromise itself. As the software began to be infected as early as March of 2020, it is possible that many organizations were compromised for well over six months - a staggering amount of time in the cybersecurity world.
According to ZDNet the attack appears to be the work of a Russian nation-state Advanced Persistent Threat (APT) group. While that is yet to be confirmed by official sources, the form of attack and the sophistication of the SUNBURST malware does lend credence to this being from a nation-state actor, with Russia's APT39 being the most likely based on unofficial source reporting. The further fact that a large number of government agencies in the US were amongst the primary targets of the attack does indicate that the attackers are a well-organized, well funded, and most likely state-sponsored group, lending even more evidence to the potential that APT39 was indeed the responsible party.
This type of attack - and most notably this attack at this scale - is incredibly rare. While Supply-Chain Attacks do occur, they are generally seen on a much smaller scale with much smaller software vendors being the conduits for the attack itself. Enterprise software vendors take great care with Identity and Access Control, and have multiple monitoring systems and other safeguards to prohibit exactly this kind of attack from being successful. Only through extremely sophisticated manipulation of security certificates and no small amount of code wizardry were the attackers able to be successful here - to the point that even seasoned security professionals have expressed amazement at the scale and reach of this attack. Additionally, modern security monitoring can typically detect that this form of data exfiltration (the removal of data from an environment) is happening, meaning that traffic patterns would generally expose the attack in progress, and only the obfuscation techniques of spectacularly good threat actors were able to avoid being discovered here. While it is possible that this could happen again, it can only happen at this scale with an alarming amount of talent, resources, and time. So, while it can happen, we're unlikely to see another attack of this magnitude in the near future if we're lucky.
Watering Hole attacks are extremely difficult to defend against, as your organization is not the primary target of the initial attack at all. Downloading software patches and updates is a mandatory and critical part of cybersecurity, so avoiding patching and updating is simply not an option. Careful management of vendors to ensure all of your 3rd-party providers maintain good cybersecurity hygiene is a great start in combating this kind of threat activity. Carefully testing and monitoring your network for unusual activity is also critical, as the first sign of incursion may be when the threat actors try to remove data from your environment. This isn't a guarantee that this form of threat can't impact your organization, but it does help to minimize the likelihood that you will fall victim to it.
Supply-Side attacks are difficult to stop, and difficult to detect if the threat actors are good at hiding their tracks. Attacks on this scale; however, are generally indicators of nation-state activity, and not something usual or frequent. If you have SolarWinds Orion or any other SolarWinds platform, you should ensure that it is temporarily shut down until a full analysis of the attack can be performed by SolarWinds themselves. While this may be disruptive, the potential for additional repercussions of this attack coming to light over the next several days means that shutdowns - at least temporarily - are necessary and unavoidable. All companies should be using continuously updated testing tools - such as Cymulate - to ensure that they are able to test for the latest threat activity. Cymulate already has an Immediate Threats Intelligence simulation available for SUNBURST, and for many other APT39 methodologies seen in the greater digital sphere. While such a test would not have prevented this attack, tools such as Cymulate can definitely allow businesses to immediately know if they are susceptible to these attacks once they have been uncovered; and to defend against the threats that are known and are still wreaking havoc throughout the digital world.
With the influx of cyber attacks and a challenging year, Cymulate is offering free continuous risk assessments - including testing to see if the organization is susceptible to the SUNBURST attack - to help organizations plan their security strategy for 2021.
Mike Talon is a Solution Architect living and working in New York City. He’s assisted in disaster recovery and migration, Cloud transformation, and identity and security operations and testing for companies ranging from Mom & Pop retail shops to Fortune 100 global companies. Mike currently works with Cymulate – Breach and Attack Simulation; helping customers find ways to live safely in interesting times.