The COVID-19 pandemic defined the year that was 2020 but there are additional significant moments it brought – one of the most notable being the increase in supply chain attacks with the SolarWinds Orion security breach at the center of it. Thinking about the CISA (Cybersecurity & Infrastructure Security Agency) Security Bulletin, and the frenzied panic created industry-wide will be remembered well into the future. What makes this breach so unique? Many would likely speculate how sophisticated the attack was and how it went undetected for months.
The Quickest Summary Ever
In December 2020, CISA announced an “Active Exploitation of SolarWinds Software” (found online here). The CISA announcement includes a link to the FireEye Advisory uncovering the supply chain attack that compromised multiple global victims with the SUNBURST backdoor. The FireEye GitHub provides countermeasures, including signature-based detection styled mitigations. Although helpful, these mitigations are not enough to prevent future breaches impacting the supply chain. An Advanced Persistent Threat (APT) actor currently suspected of Russian origin was able to compromise government and nongovernment entities using the SolarWinds software. The actor infiltrated the software platform’s update mechanism and subsequently infiltrated all devices requesting updates, making this a supply chain attack after all.
How Bad?
CISA’s alert labeled “SUPPLY CHAIN COMPROMISE,” [2] will grab anyone’s attention. In their announcement, CISA warns us: “This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.” [1] Multiple government agencies are collaborating internationally through the newly formed task force called the Cyber Unified Coordination Group (UCG). With numerous federal agencies coordinating, you know it’s a significant event.
Mitigation and Detection
At this point, the risk is ongoing and no remediation is available if you’re running the infected software versions. While no one has all the answers for addressing supply chain attacks (yet), there are available mitigation and detection solutions. CISA released a tool called Sparrow [3] to assist with detection the Azure/m365 environment. Required permissions are listed in the GitHub repository. We can also learn from the events in 2020 to help future proof ourselves. For one, the CISA alert bulletins helped reshape how we view the supply chain and inform our vigilance:
Pivoting
When you’re working in a red team situation, and you’re exploring vulnerabilities to build the proper payload to launch your attack; you’re likely to find other weak points or exploitable areas during various phases of the process. Once your payload is successful, the next portion would be covering your tracks while also finding a way to maintain continued access and find other weaknesses now exposed by your elevated access.
Why is this important? It shows that training helps discover these threats in environments by blue team scenarios and active red team exercises. But it also exposes vulnerabilities within the global supply chain on a scale unseen before. FireEye and Solarwinds are both international companies, and if they can be breached, it might even mean many have already been breached and remain unaware.
[1] CISA. December 2020. Supply Chain Compromise.
Retrieved from https://www.cisa.gov/supply-chain-compromise
[2] CISA. January 5th, 2021. Joint Statement by the Federal Bureau of Investigation (FBI), The
Cybersecurity and Infrastructure Security Agency (CISA), The office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA).
Retrieved from https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
[3] CISA Sparrow Remediation. December 2020. Sparrow.
Retrieved from https://github.com/cisagov/Sparrow
CISA. January 2021, Actions for Today, Insights.
Retrieved from https://www.cisa.gov/insights