The SolarWinds hack and the constant stream of revelations about the tools and tactics used are a good case study even though it's been more than a year since the event (plus the attackers had other targets).
What draws attention to our topic (Zero Trust) is the involvement of Greg Touhill, chairman of the Appgate Federal Group, who said that he was not surprised by the SolarWinds event but only disappointed.
He was already fully involved in Zero Trust's strategy and was extremely concerned about the integrity of the supply chain of the products and services of the company where he worked.
What is important to note is that he and his working group had identified numerous risks to the existing supply chain, especially from the point of view of the insertion of a malware/backdoor at the level of a provider (thus, an external entity, with certain presences in cybersecurity policies).
It even predicted the risk of a threat actor entering a provider's software development lifecycle and deliberately introducing a backdoor.
So, we are talking about a real presence in the existing network, without considering other organizations that have been hit by attackers (regardless of whether they used the SolarWinds platform).
But let's see how the events went, to understand the processes as a whole...
Researchers at Crowdstrike have documented Sunspot, a malware program used by SolarWinds attackers, to introduce Sunburst malware into the company's software.
SolarWinds also revealed a new timeline for the incident and the discovery of two customer support incidents believed to be related to sunburst malware that was being deployed on the customer infrastructure.
In which the investigations did not determine or identify the presence of the malicious code Sunburst, at times when the attackers were testing their operations and codes.
Then, researchers at Karpersky Lab discovered several similarities between the Sunburst malware and a .NET (Kazuar) backdoor first reported by Palo Alto in 2017, linked to the Turla APT group (which is believed to be sponsored by the Russian state).
The timeline of SolarWinds' Orion platform attack says it all...
04.09.2019 – The Threat Actor (TA) accesses SolarWinds;
12.09.2019 – TA injects the test code and starts the running tests;
04.11.2019 – Completion of the testing of the injected code;
20.02.2020 – Sunburst is compiled and downloaded;
26.03.2020 – Hotfix and .dll available to customers;
04.05.2020 – TA removes malware from built-in VMs (virtual machines);
12.12.2020 – SolarWinds is notified by Sunburst;
14.12.2020 – SWI 8-K files and notification of shareholders and customers;
15.12.2020 – SWI performs the software fix;
17.12.2020 – The US-CERT alert is launched ... And it all went on...
So, we are dealing with a long, well-structured presence of the APT (Advanced Persistence Threat) type. For connoisseurs, the process is almost impossible to identify (which justifies this analysis for supporting zero trust)...
"When Sunspot finds an MsBuild.exe process (part of the Microsoft Visual Studio development tools), an instance will appear to determine if the Orion software is being built and, if so, hijack the build operation to hijack it and inject Sunburst. The monitoring loop runs every second, allowing Sunspot to modify the target source code before it is read by the compiler."
What is interesting is the overlap between Kazuar and Sunburst who use the same algorithm to calculate the time that the malware remains dormant until a new connection to the server is made, the same hashing algorithm for obfuscation of strings, and the same algorithm for generating unique victim identifiers.
The same seems to be the case with the current Cobalt Strike which apparently has a developmental origin with the same initialization.
So, it is quite clear that we are dealing with the same people who have developed the initial malware over time or are people who have been inspired and carried out the development.
The researchers also shared a series of tactics, techniques, and procedures (TTP – Tactics, Technics and Procedures) used by attackers to ensure the persistence of malware, to ensure that code manipulation will not cause compilation errors, and to minimize the possibility of SolarWinds detecting their presence and actions.
And Touhill consider that implementing a Zero Trust security model was essential to better protect data, reputation, and mission against all types of attackers.
But this time the confusion begins regarding the Zero Trust architecture.
Although the implementation of Zero Trust is a good start, it is recommended to implement the best modern security strategies / technologies, such as software defined perimeter (SDP – Software Defined Perimeter), single packet authorization (SPA), micro-segmentation, DMARC (for e-mail), identity and access management (IDAM – Identity and Access Management) and others.
These first decisions are, at first glance, related to the old cybersecurity techniques and strategies. But is that right?
Zero Trust is just a strategy, nothing else, which obviously rests on the old techniques/practices but only gains consistency through subsequent policies and efforts for permanent identification and action.
In the case of our example, the SDP approach, for example, was indicated because it is an effective and safe technology for secure remote access. Access is becoming more and more appealed as the traditional office work environment pivots to the general environment, to work from anywhere (on the grounds of efficiency, pandemic, etc.).
Then, virtual network (VPN) technology, which was the original technology for secure remote access, is proving increasingly fragile, successfully attacked more and more frequently (even due to its age of over 20 years).
To all this is added the explosion of BYOD risk that appears as a necessity of adaptability of the new working structures.
Then came the problems related to the impossibility of fully configuring the devices used by the members on the respective networks, the problems occurred by the older devices and/or operating systems, etc.
And there would be a lot more to say, but next week...
SolarWinds hack investigation reveals a new Sunspot malware - link.
Zero Trust: A solution to several cybersecurity issues – link.
Dorin M, January 7, 2022
Thank you for your visit!
Whenever you consider that it "worth", I expect you with feedback, comments, or donations in
the account RO95BRDE090SV31723640900 opened at "BRD-Groupe Société Générale" S.A. Romania or
Paypal donation (using the button below)
or on Patreon (using the button below).