Understanding Solarwinds, Microsoft Windows, VMware Attack of 2020
An introduction of the supply chain attack caused in the Orion update protocol of the Solarwinds network management software suite of 2020.
Microsoft identifies 40+ victims of SolarWinds hack (Source: Microsoft)
Though it gained notoriety in December of 2020, the attack was perpetrated in March. The breach of around 18,000 sites all across North America and even outside has been christened Sunburst, unc2452, or Dark Halo.
What made this attack noteworthy, was that no network was brought down, no resources were utilized or abused. The goal of the intrusion was to gain unlawful access to a wide variety of high sensitivity locations including US defense and telecom companies, gaining access to their email and other confidential information. In order to achieve this goal, a family of malwares were created including TEARDROP, BEACON, and others.
How did the malicious actors gain access? Initially, a signed and trusted Microsoft Windows Dynamic Link Library (DLL) was infected with around 4000 lines of attack code. This was pulled as an update across the network. Then using a domain generation algorithm (DGA) and using local IP address blocks, a command and control (C2) server was created. This allowed commands to be sent using REST API and JSON payloads. The attackers leveraged steganography to cloak JSON traffic, allowing it to appear legitimate but it contained attack commands coming from C2, very cleverly encoded as to evade detection. More impressive was the manner in which the attackers tried to erase their traces of illegitimate activity and evade detection.
The attack code was created dynamically, it would execute and be replaced with the original benign executable with the correct checksum. It was not until Fireeye was targeted, that this attack was detected and the alarm was raised. Moreover, the devious method in which the malware families were quietly camouflaged to not raise suspicion is the most interesting part of this compromise.
Typically, attacks happen when there are gaping security holes to be exploited by attackers. When the software running on premises is not the latest, up to date version, patched from remote servers. But in this case the attack happened due to an update that was not checked by Solarwinds for correctness and was accepted by machines as valid updates.
Some bugs in the Windows multi factor authentication as well as VMWare were exploited to the attacker’s advantage. Without these, the attack would not have achieved the lateral movement it did, making other connected systems vulnerable. Nowadays, in the interconnected world of networks, with all machines talking to the Internet in various ways, no attack can be contained and it is near impossible to predict where the compromised software will spread.
To audit this and identify the extent of the breach is a topic in and of itself. Fireeye has released a myriad of yara and snort rules in their github repository to identify and patch the attacked systems. With Volexity and Crowdstrike releasing their own advisories on the attack. Microsoft has released the worldmap (above) with a list of countries affected and it appears only Russia and Greenland are safe, interesting….
It could be argued that this attack was one of the most successful and well coordinated compromises affecting an incredibly large user base in cybersecurity history, as it infected around 18000 installations. In future blogs we will dive into the specifics of the attack.
Did you enjoy this content? Follow our linkedin page!