Tech ramblings by Marcin

SolarWinds supply chain attack

2024-04-07 00:00
#it
#security

Create an abstract, humorous illustration of the SolarWinds supply chain attack, incorporating elements of solar and wind in a playful manner. The scene should transform into an even more abstract and artistic representation, where the digital landscape of computers and servers intermingles with solar panels and wind turbines in a surreal composition. The sneaky figure trying to insert a USB drive should be stylized as a quirky, almost abstract character, blending into this whimsical world. Use bold, vibrant colors like magenta, orange, lime green, and electric blue to give the artwork an energetic and imaginative flair, moving away from realism and closer to an abstract art style.

Some time ago, I read a good writeup about the SolarWinds incident that happened in 2020. You can get to that article by clicking this link. This article is well-written and portrays multiple persons involved in solving the case. Really enjoyable piece.

This blog post sums up the incident from the technical perspective and also goes deeper into multiple aspects of it, using data taken from different sources.

Note: Another, more recent supply-chain attack is the xz backdoor. You can read more on https://www.ciemnastrona.com.pl/cyfrowy_feudalizm/2024/03/31/xz-backdoor.html and https://gynvael.coldwind.pl/?lang=en&id=782

What kind of company is SolarWinds?

SolarWinds’ main areas of expertise are network monitoring and auditing. They produce software to facilitate that. Their deployments

Orion, is a performance monitoring solution that tracks the status of SolarWinds’ Orion customers. It has privileged access to gather performance data and other information from logs generated by customer IT assets.

By gaining access, attackers would have the same level of access to the infrastructure as the service - which means very wide! Moreover, Orion software has a database of access data for a specific company. The attackers accessed the company’s whole network by gaining access to the Orion software.

Timeline

The timeline of this whole attack:

  1. September 2019 - attackers gain access to SolarWinds network
  2. October 2019 - start testing malware injection
  3. February 2020 - inject malicious code (Sunburst) into Orion - a major component of Solar Winds software
  4. March 2020 - SolarWinds started distributing Orion updates

Why is this hack interesting?

The malicious code injected into Orion was

According to Microsoft, hackers acquired superuser access to SAML token-signing certificates.[56] This SAML certificate was then used to forge new tokens to allow hackers trusted and highly privileged access to networks.

The source of the hack was rather hard to find. According to news reports, it was only thanks to some not deleted CI system images that investigators could extract, and only there could they find the malicious code. So it was only found thanks to not clearing the cache.

Other than that, the nature of the attack was rather a standard supply chain attack, although very sophisticated.

Due to the attack vector, the malicious software was signed with correct SolarWinds keys, manifesting itself as a correct piece of software from the vendor. The injection point for this code was the build server. To be precise, the code was injected after the build happened on the CI worker but before the code was packaged and signed.

The injection resulted in a change in one of DLL files from the project.

Perpetrators

Who would organize such an attack? It seems it’s Russia’s doing.

According to Wikipedia:

APT29, aka Cozy Bear, working for the Russian Foreign Intelligence Service (SVR), was reported to be behind the 2020 attack

Commentary

“From a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Microsoft President Brad Smith told U.S. broadcaster CBS’ “60 Minutes”.

Interesting videos to watch (in Polish)