Cipher Podcast: Breaking Down the 2020 Supply Chain Compromise
Our final podcast episode of the year looks at the immense cyber attack that took place recently. SolarWinds software was hacked, which led to government and private organizations being breached. We look at how it happened and what organizations should do to stay secure.
Visit the Department of Homeland Security websites for more information: https://cyber.dhs.gov/ed/21-01/.
Visit the podcast page for all episodes or listen on the platforms below.
Podcast Episode Transcript
Pete: Welcome everyone, my name is Peter Hackett. I am the Global Program Director for Cipher. In today’s podcast, we are going to provide insight into the ongoing cybersecurity incident that has caught the attention of Information Security professionals from across the world. This episode is part of a series of podcasts which we publish and is intended to educate the public about various cybersecurity topics as well as highlight key capabilities of our company. If you enjoy today’s podcast, I encourage you to subscribe so that you will be automatically notified when we publish future content
With me today is my colleague Scott Croskey, the Global Chief Information Security Officer for Cipher. Both Scott and I come to you today from Long Island, New York. Scott, how are you doing today?
Scott: I’m good Pete, and you?
Pete: 2020 certainly has been a year for the history books. At the beginning of the year, the world saw a global pandemic that has reshaped the way we live and work. And now as we close out the year, there has been a revelation that an organization, supposedly a nation state, has potentially gained access to over 18,000 companies through a highly sophisticated supply chain attack. Some are calling it potentially the biggest intrusion in our history with an apparent focus on cyber espionage. According to the U.S. Department of Homeland Security, the threat actor has the resources, patience, and expertise to resist eviction from a compromised network and continue to hold affected organizations at risk.
While there are many different conversations that we can have on this topic, I’d like to focus our conversation today on two primary areas. The first part of the conversation will focus on the possible driving factors as to why this activity has occurred, and the second and more technically relevant of today’s conversation will focus on what organizations should do as they assess and respond to this situation.
Pete: Scott, let’s kick off our discussion today with possible driving factors. What do you believe is going on here? What could this possibly be?
Scott: Well Pete, first off, great introduction. I’d be happy to share my thoughts as to what potentially is going on here. Let’s look at the facts of the situation. First and foremost is the SolarWinds Orion software, which was identified as the source of this sophisticated supply chain attack. A number of organizations have publicly stated that this supply chain attack was used to gain access to their networks. FireEye being the first on December 13. And many others private sector companies quickly followed. Belkin, Cisco, Intel, Nvidia, Microsoft, and VMWare in particular. Additionally, we have U.S. Government agencies that have publicly stated they had been breached in this regard. Departments such as the Commerce, Homeland Security, State, Treasury and Energy departments, as well as the National Institutes of Health. We also have a heatmap that was recently released by Microsoft that shows the location of at least 40 organizations that Microsoft has identified as having been exploited via second-stage attacks as part of the SolarWinds Orion supply chain attack. It clearly paints a picture that western nations and corporations were targeted. The overwhelming majority of victims are in the northeast United States (New York, Philadelphia, Baltimore, Washington DC), and then other major U.S. cities such as Chicago, Charlotte, Huston, Austin, Los Angeles, San Francisco, and Seattle. In Europe, we also see victim organizations the United Kingdom and Israel, among others.
Next, let’s look at the timeline. According to FireEye’s CEO on a recent episode of CBS’s Face The Nation, the SolarWinds Orion code was altered in October 2019, but that the backdoor wasn’t officially added to the production code until March of 2020. Sources also indicate that last October’s effort appeared to be a “dry run,” adding that the attackers’ caution suggested that they were “a little bit more disciplined and deliberate” than the average attacker.
So we clearly have an advanced threat actor here that is well organized and well-funded. There are really only two types of organizations that have this level of sophistication. Cyber criminal groups, and nation states. In the case of cyber criminal groups, their main motivation is to profit and steal. We don’t see any of that happening here. There are no ransoms, there are no scams or threats to in this regard. So one would have to reasonably rule a cyber criminal group out. That leaves a possible nation-state actor. If you look at the known victims, they are primarily organizations in the United States and United Kingdom. And finally, just the other day, the US Secretary of State, Mike Pompeo, said, and I quote, “we can say pretty clearly that it was the Russian government.”
So Pete, it’s pretty clear the primary objective of the threat actor here is to conduct cyber espionage activities.
Pete: That’s pretty incredible. It sounds like something out of a spy movie. Ok, so let’s turn our attention now to the bulk of the conversation today.
Pete: What exactly happened here in this supply chain attack? What does that even mean?
Scott: Basically what happened was that this threat actor broke into the SolarWinds network sometime last year and implanted a backdoor in the Orion network monitoring software program built by Texas-based SolarWinds. Essentially they altered the source code to allow the threat actor group to use covertly gain initial access into any network that downloaded the SolarWinds Orion update. Unbeknownst to the Orion code developers, they published this malicious code with their own code in their next scheduled version of the software update and digitally signed it as authentic, telling SolarWinds systems to trust the software and install it. This happened in March of 2020. This software patch subsequently pushed to at least 18,000 of the firm’s customers.
Pete: And what exactly is SolarWinds Orion and why do you think it was selected to be, more or less, a modern day trojan horse for this larger cyber espionage campaign?
Scott: Good questions Pete. So what is SolarWinds? Well, SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network management tools. It’s primarily used by IT administrators to manage all of the various systems and servers on a computer network. In order to provide SolarWinds Orion with the necessary visibility into an organization’s diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with elevated privileges. Because of the number of organizations that use this platform, and considering that it is given nearly full access to manage a computer network, it is a valuable platform for an adversary to trojanize.
Pete: What was this so called “backdoor” that was implanted into this SolarWinds software update and how did it bypass detection by victim organizations?
Scott: What happened was the threat actor added a malicious version of a DLL binary into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This signature allowed for the malicious version to be trusted by companies that it was authentic and in fact came from SolarWinds which should be trusted. Once installed, this binary calls out to a domain on the Internet using a protocol designed to mimic legitimate SolarWinds protocol traffic. According to the Department of Homeland Security Technical Advisories, after the malicious program conducted this initial check-in or beacon, the adversary would then use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for subsequent command and control activities.
Consequently, organizations that observe traffic from their SolarWinds Orion devices to the initial domain, which in this case was avsvmcloud[.]com, well those organizations should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. It just means that they installed the backdoor but it may not have actually been used by the threat actors. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.
Pete: Sounds somewhat complicated, especially if I am managing the IT Infrastructure for an organization. How should organizations evaluate risk in this situation?
Scott: If your organization uses SolarWinds Orion products, you can quickly categorize your risk into three main areas. Also note that if you have a Managed Service Provider, you should also ask them if they use SolarWinds Orion. Their answer may also have an impact on your environment.
So Category 1 is the lowest risk category. This includes those organizations who did not install the malicious version. The malicious versions can be easily identified by going to the SolarWinds website or visiting the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, commonly referred to as CISA. If you fall into this category, you can continue to patch your SolarWinds systems and resume use as determined by and consistent with your internal risk evaluations.
Category 2 includes those organizations who have identified the presence of the malicious version —with or without beaconing to that initial command and control domain, avsvmcloud[.]com. Companies with malicious versions whose vulnerable appliances only unexplained external communications are with avsvmcloud[.]com—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
Category 3 is the highest risk category and includes those organizations with the malicious beaconing to avsvmcloud[.]com as well as identified secondary C2 activity to a separate domains or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.
Pete: How exactly does an organization determine if they are Category 2 versus Category 3?
Scott: Through threat hunting. There are a number of ways to go about this and CISA has very good guidance on how to do so. First and foremost, investigate the SolarWinds instance. They provided instructions in Emergency Directive 21-01 which was issues for US Government agencies, but any organization can view the instructions. It involves conducting digital forensic activity to include analysis of system memory and host operating systems that hosted instances of SolarWinds Orion. As discussed earlier, it also has hunting activity around network traffic, to include analysis of DNS requests. There are also hardening activities as well in the form of disabling certain legacy encryption protocols as well as a few other Microsoft recommendations on remediating certain abused protocols such as Kerberos.
Pete: You mentioned there are other ways as well. We’ve spoken about the MITRE ATT&CK framework in past episodes. How can an organization leverage this framework to conduct threat hunting?
Scott: Great observation Pete. It’s true that the MITRE ATT&CK framework can also be used to conduct threat hunting in this situation. In the CISA advisory, it notes that for victim organizations that the threat actor used this supply chain backdoor to gain further access into their environment, a number of techniques were used. Specifically the threat actor used this backdoor access to create new accounts and establish certain persistence mechanisms such as elevating new accounts into a privileged status, scheduling new tasks and jobs, and even establishing new processes. All of these techniques are detailed in the MITRE ATT&CK framework, specifically technique IDs 1136 (Account Creation), 1078 (Account Elevation), 1053 (Scheduled Task/Job) and 1543 (Create or Modify System Processes). Looking at these techniques in the ATT&CK framework indicates they can be detected through analysis of Windows Event Logs. Assuming your environment has a Security Information & Event Management (or SIEM) set-up to ingest these logs, you can pull reports to detect this type of activity. The Information Technology department will need to review these reports and determine if the activity observed is legitimate or not. Illegitimate activity may indicate you have an issue.
Pete: We’ve also seen reports that this threat actor has attacked organizations through cloud-based techniques. Can you elaborate more on this topic?
Scott: Pete I think you are talking about the SAML abuse, also referred to as the Golden SAML Attack. Correct?
Pete: Yes that’s correct. Cipher has received many questions from our customers in this regard. What exactly is this?
Scott: So both the National Security Agency and CISA have released advisories on this topic. Basically it’s another initial access vector into a cloud environment this threat actor uses which is separate from initially attacking organizations through the SolarWinds supply chain attack. So it’s not exactly related to SolarWinds, but could be used if the adversary did in fact choose to target an organization’s cloud environment. What happens here is that the Security Assertion Markup Language (SAML) signing certificate is compromised. CISA explained that “once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs). Although in order to successfully leverage this Golden SAML, an attacker must first have to gain administrative access to the ADFS server and extract the necessary certificate and private key. If accomplished, the adversary can have unauthorized access to virtually any cloud environment of the victim organization, such as full access to AWS or Office 365.
Pete: And I’m assuming there is detailed guidance for cyber defenders on how to detect and mitigate this attack vector.
Scott: Yes. Check out the NSA and Department of Homeland Security websites for specific details.
Pete: Well Scott, thank you for your time; this has been very informative. We hope our listeners walked away today with some valuable information. For any of our listeners who are interested in Cipher services or would like to further discuss this topic, please reach out to us via our marketing department, which can be reached at: [email protected]. Also, if you liked today’s podcast, please subscribe so that you can be automatically notified when we publish our next episode.