First FireEye, then SUNBURST, and after that, SUPERNOVA. Here's why the SUNBURST incident is more alarming than the FireEye’s hack. A security company that got hack is like a doctor who got sick. While everyone is talking about the , “SUNBURST" (or “Solargate”) is more dangerous, which is a cyberattack that required patience, skills, and new thinking. And in all that, it FireEye incident created a wound that we previously overlooked. After discovering the SUNBURST malware, was revealed by security researchers as another backdoor found in SolarWinds software. This malware is a web shell that SUPERNOVA allowed attackers to run arbitrary code on machines running the software's trojanized version. It is already on the news but mostly for technical people. I want to make a more friendly explanation to understand why it is alarming and, more importantly, how to prepare for the next attack. First, they are related. (and SUPERNOVA) is an advanced malware that compromised the Orion® Platform of SolarWinds, an IT monitoring software company, according to a . SUNBURST blog post released 13 Dec 2020 FireEye Wait, why FireEye was the one who released the information, not SolarWinds? In short, you can think of Solarwinds as the “upstream” of the attacks, while When FireEye Inc a well-known cybersecurity company, their investigators immediately try to figure out how attackers got past their defenses. FireEye is one of the “downstream.” ., discovered that they were hacked this month , It is believed that the discovery is by accident. The investigator realized that it wasn’t just FireEye who got attacked but also discovered a vulnerability in a product made by one of its software providers, SolarWinds Corp. Technical Background (Simple Version) According to deep-dive reports published last week by multiple security companies: FireEye Palo Alto Networks Fortinet Microsoft McAfee Symantec Kaspersky US Cybersecurity and Infrastructure Security Agency ( ); CISA On infected systems, hackers compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of “ SolarWinds.Orion.Core.BusinessLayer.dll.” These embed the SUNBURST malware. Hiding in was then downloaded by booby-trapped updates legitimate software via official update channels over 18,000 computers. Infected machines would collect information about the infected company’s network, then wait 12 to 14 days, and then send it to a remote (C&C). command and control server SUNBURST would when infected for validation: execute the following steps Machine domain name validation. It checks the domain name of the compromised machine to ensure: - It doesn’t contain certain strings. - It is not a SolarWinds domain. - It doesn’t contain the string ‘test’. It validates that no analysis tools, such as WireShark, are running. It also checks to ensure that unwanted security software is not running. As you can see, SUNBURST is malware with intelligence to . If all of the validations are completed, it calls “home” to the attacker and sends information to identify the breached organization. check if it could successfully bypass security measures There are victims across different sectors, such as cybersecurity firms such as FireEye and And the worst part is, the list is still growing. local governments, schools, hospitals, banks, and telecom companies. Like and , big tech companies also confirmed installing the trojanized updates on their internal networks. Fortunately, they also specified that they did not find any evidence of escalation from the attackers. VMware Microsoft From the quality of the threat design, the range of techniques used, and its victims’ nature, this was a for sure. The malware was thoroughly crafted and secretly embedded in upstream suppliers’ legitimate software to finally hack the high-value assets downstream. nation-state scale attack Implications I read reports after reports. These are, from a security design perspective, beautiful attacks. It requires dedications of years of studying of the targets (probably with someone working with/from inside), with patience to find a way to bypass the monitoring of security analysts and skills to hide the code from the developers. Conceivably the most alerting character of the SUNBURST attack was how it propagated itself by This is the perfect storm much more influential by today's security policy's . installing itself as part of SolarWinds’ regular distribution and update operation. automation and fast patching practices The problem of trust again, but in a different thinking Knowing what companies are the SUNBURST victims won’t help explain the extent of the damage done. As the scale of attacks are so extensive and involves too many heterogeneous IT infrastructures from various supply-chains. It does, however, highlight . the fundamental problem of trust Supply-chain attacks rely on trust between suppliers and customers. There is no defense customers can implement against a compromised vendor or supply-chain that transfers legitimate code or services that are, in fact, jeopardized. Regular measures, such as only work if the reference (upstream) isn’t ravaged. If you consider , it is solely a special case of that concept of a chain of trust (signing is built on trust). Though, is more resilient in its community's proportion and interest . checksums and hashes, signed code open-source software but still not immune to such attacks The Mitigations You and your colleagues are probably preparing for the holiday, security professionals should know that this will not be the last one, and hackers will not take Annual leaves. What is more important is to To achieve that, it is a good time for me to re-introduce the Security Mindset when talking about mitigation. learn from it and prepare not to be the next Solarwinds or FireEye. Technology Pillar medium.com Integrating Security Mindset with PPT Framework Reintroduction of The 3 Pillars of Security Concept FireEye released on Github that can identify the SUNBURST malware last week, including the Security Vendors are catching up, and most of them had already released counter-measures for SUNBURST. countermeasures Indicators of Compromise (IOCs) and MITRE ATT&CK Techniques. , with collaboration with GoDaddy and Microsoft, released information about a killswitch: In the statement from FireEye As part of FireEye’s analysis of SUNBURST, we that would prevent SUNBURST from continuing to operate. identified a killswitch This killswitch will affect new and previous SUNBURST infections by that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. disabling SUNBURST deployments To detect malware as such, we may need a dynamic analysis tool like sandboxing in dedicated isolation. But hackers also know about it and developed malware with sandbox-aware validations. It then becomes between offense and defense. a cat-and-mouse game The first and second stages of impacts could be reduced soon with the joined efforts from the communities. Yet, relying on tools and advanced technology is only effective DURING the incident. While I am in line with most security vendors, we need to develop more innovative PDC solutions ; But “Adapt” cannot be put out of the picture. (Prevent — Detect — -Correct) Adaptation helps us respond better next time. In Technology Pillar, as this time, software defects are already presented, the fixes can only be applied to the last attack. How to adapt to a more approving response to the next war is more valuable. That’s why we should shift our focus to the other two pillars. Process Pillar Hackers would try to get Vendors and Partners become the possible targets and as a new way to penetrate. Attacks related to the , reported by access to your company using the already established highways. supply-chain rose 38% since the start of the pandemic Bitdefender (A Security Vendor) . This, in fact, is a wake-up call for security professionals to see what is missing in the past truly. All update processes from vendors should be reviewed, and consider monitoring is in place. Trust between vendors should not be taken for granted. Automation and patching were originally incorporated in the best practice of security operations; efficiency becomes the weapon. Therefore, implementing into security designs become necessary. the concept of “Zero-Trust” it clearly: Palo Alto Networks presented The Zero Trust model recognizes that trust is a vulnerability . Once on the network, users — including threat actors and malicious insiders — are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location. with the development for testing updates and patches should become the norm. Implementing change control in update channels for live files to maintain a higher resilience against external sources. Segmentation from a production network While is resource-demanding, no one will underestimate the importance of that after the SUNBURST. With careful selection of data collection points by focusing on trust, building a tracking system could not be as resource-hungry as traditional log collection methodology. keeping a tap on the trusted processes It is worth considering to reach out to the company’s ecosystem It is as essential as internal procedures to reassess key partners’ risk. to ensure both internal and partners are still meeting all compliance requirements. People Pillar The hackers understand well the IT infrastructures of enterprises and As mentioned in Technology Pillar, the SUNBURST malware was splendidly obfuscated, fastidious in its use of steganography and diversion layers. the psychology of developers and operators. It is why it can bypass layers of security defense in SolarWinds, from hiding from developers' code review to not triggering alerts in behavior analysis of the security operation team. As a result, SUNBURST will produce another round in . No one is immune does not mean we are hopeless. It just likes what we are how we handle the COVID-19. the arms race between hackers and cybersecurity researchers Giving you a pill to cure Covid may not help you prevent the variants, as the virus is mutating. To prevent infections are still the best way to minimize the impact. We thus introduce the concepts of social distancing, frequent hand-washing. We keep washing our hands over the fear of the deadly viral pandemic yet fail to do basic things to our cyber self like security updates and use strong passwords. Regarding cybersecurity, what we need is a new way of thinking and the introduction of “Cyber-Hygiene. Cyber-Hygiene Bringing up the awareness of the importance of cyber hygiene goes a long way. Until you get the security basics right, all the fancy and most advanced technology in the world cannot protect us from cyber-attacks. is no surprise to experienced security professionals. Keeping the attack vector at minimal, continuing education, full visibility to the system, and patching and updating… these are all the basics. This fundamentals-first strategy Meanwhile, we relied heavily on advanced threat detection tools, AI-assisted SOC indicating the usefulness of those techniques, but do not help remove the cybersecurity risks. To put it in simple terms, good Cybersecurity hygiene should be the real “Silver Bullet” that can dramatically reduce the risk of the weakness link in the picture (the people pillar) . Final words Before that, there were attacks such as . SolarWinds Orion infected software updates are only the most current examples of software supply chain attacks. NotPetya and Havex Adversaries and ransomware groups will not wait too long in mounting as they have many vendor targets to choose from. their own software supply-chain attacks Absolutely we need to that bring up security issues in the dynamic and conflicting cybersecurity environment. We need to rethink the reconsider the growth of automated, continual distribution and patch practices balance between friction-less continuous deployment and layered security with verification in mind. Not just in how to fight this war, but in . How to processes with a security mindset, from internal to the vendor and in the complete supply chain. designing for resilience model the chain of trust and verification To cheer you up at the end of this story, we all know that we have had to adapt and grow to overcome the new security problems at every stage in our evolution with self-correction capabilities. The best aspect of SUNBURST, or the latest SUPERNOVA incidents, which will become old news like the others over time, is a highly evolved real tragedy of substantial impact. As a cybersecurity professional, on the side of good guys, we have to evolve ourselves by learning from this cyber-attack campaign, which is well-planned with years of effort; we must devote similar resources to our defenses. Thank you for reading — Happy reading and preparing well not to be the next Solarwinds. To know more about SUNBURST, please refer to and . the official statement CISA Alert (AA20–352A)
Share Your Thoughts