Picus Security has just released their Key Findings on the SolarWinds Breach Supply Chain Compromise, here are the main points:
- It is a global attack campaign that started in March 2020 and is ongoing.
- The attack campaign has the potential to affect thousands of public and private organizations.
- The attack started with a software supply chain compromise attack.
- Threat actors trojanized a component of the SolarWinds Orion Platform software, dubbed as SUNBURST by FireEye .
- The backdoored version of the software was distributed via its automatic update mechanism.
- Attackers heavily used various defense evasion techniques such as masquerading, code signing, obfuscated files or information, indicator removal on host, and virtualization/sandbox evasion.
- The threat actor leverages ten different MITRE ATT&CK tactics, including Lateral Movement, Command and Control, and Data Exfiltration.
- Used techniques indicate that the threat actors are highly skilled.
SolarWinds came under scrutiny yesterday after announcing on Sunday that the SolarWinds Orion Platform network monitoring product had been modified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This leads to the attacker having remote access into the victim’s environment and a foothold in the network, which can be used by the attacker to obtain privileged credentials. SolarWinds breach is also connected to the FireEye breach. In this article, we analyzed tactics, techniques, and procedures utilized by threat actors of the SolarWinds incident to understand their attack methods and the impact of this breach.
Supply chain attacks that target vendors as a way to reach the intended victims have grown increasingly popular in recent years, largely thanks to their ability to stay hidden for a significant amount of time. If you’re a SolarWinds Orion customer, heed their advice and install the updates from the SolarWinds Customer Portal as quickly as possible to mitigate this threat.
In the SolarWinds Orion breach, adversaries embedded malicious code into a SolarWinds library file, SolarWinds.Orion.Core.BusinessLayer.dll. According to SolarWinds security advisory, attackers backdoored three versions of the Orion Platform software: 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1.
However, it is not clear how attackers could tamper this file. According to Microsoft's research, adversaries might have compromised and manipulated build or distribution systems and embedded malicious code . Another claim is that attackers might have uploaded the malicious DLL file to the source code repository of SolarWinds using leaked FTP credentials.
The backdoored SolarWinds Orion Platform software update file that includes the malicious DLL file was distributed via its automatic update mechanism.
You can read the full release here: