Yana Blachman at Venafi explains why the SolarWinds hack was predictable and what software developers need to do to defend against similar attacks.
The SolarWinds hack is one of the most prolific cyber-attacks in recent history, with devasting results and potential insurance losses estimated at more than $90 million. The adversaries – widely regarded to be Cozy Bear, an APT group allegedly funded by Russia – were able to infiltrate SolarWinds’ network of over 18,000 customers.
The hackers compromised SolarWinds’ software build pipeline to insert malware. This was then delivered through a software update delivered to SolarWinds’ customers. This customer base included around 80 percent of the Fortune 500, including Microsoft, Cisco, Intel Nvidia, Belkin, FireEye, Deloitte, and numerous US government departments and agencies.
The SolarWinds attack has not only had wide reaching consequences for these organisations, but it also acts as a proof point for the industry to show how software supply chains can be weaponised – especially as our reliance on software grows.
Now it is time to learn from what happened and take steps to protect ourselves from future software supply chain attacks of this kind. This requires a focus on securing build pipelines to ensure hackers are not able to manipulate the process. In addition, investing in machine identity infrastructure is required, to ensure that every piece of code that is running in the build system is signed with a valid code signing machine identity.
Breaking down the SolarWinds attack
The compromise of the widely used network monitoring and management software, SolarWinds® Orion® Platform, enabled the malicious actors to deliver backdoored updates into hundreds of customer systems.
Reports have confirmed the infection was caused by malware dubbed SUNSPOT. The SUNSPOT malware was in charge of inserting the malicious code into the software update, replacing one of the source code files during the build process with the SUNBURST backdoor.
The modification to the update was very lightweight. The hackers mimicked the coding style of the software developers by matching the naming standards, enabling the modification to blend in easily.
As a result, they were then able to force the machine identity code signing system to sign a backdoored update through the legitimate signing process defined by the SolarWinds developers. This meant the SUNBURST backdoor was then delivered through the legitimate software update distribution system and therefore, it was trusted by anyone who downloaded the update from the company’s website.
The attacker’s ability to trick the code signing system to sign a malicious code is worrying, as code signing guarantees trust and software authenticity across enterprise networks. Ultimately, the fact that the update was signed and verified made it extremely hard to detect that anything was wrong, allowing the attackers to hide in plain sight.
The wider security impact
While this attack was not novel, it has captured the attention of the industry. A high level of sophistication was required to mimic the developers’ code and structure. The attackers’ stealth and their ability to remain as unnoticeable and undetected as possible was also noteworthy.
Software supply chains have proven to be poorly protected, lucrative targets. Attacks on them are only going to become more common.
Most organisations are simply unable to detect malicious activity in their build pipeline. Developers are working at machine speed to meet demand for services across their organisation and accelerate innovation. DevOps teams don’t have their software supply chains mapped out and, of course, you can’t manage what you can’t see.
Added to this is the scale of activities.The average Java development organisation relies on over 14,000 unique component releases. It’s impossible to keep track of this number of components using manual processes to provision and manage code signing machine identities.
These issues are compounded by a lack of clarity about the relationship between infosec and DevOps teams. In many organisations, there is confusion over responsibility for defending build pipelines and implementing code signing infrastructure to ensure each piece of code is signed.
This means neither CIOs nor development teams understand how they’re secured. This isn’t new: Venafi released a report last year showing a clear lack of protection deployed around code signing certificates. Furthermore, as far back as 2012, a Georgia Institute of Technology study warned of the type of damage that could be caused by taking over or spoofing a network management system like SolarWinds.
Addressing the security gap
The SolarWinds attack proves that every software company’s updates can now be considered a weapon. Digital transformation magnifies the issue, with new software released and updated more frequently than ever.
To address the holes in the build pipeline, organisations need to tightly control what can execute in it and automate security processes – particularly the management and rotation of their machine identities.
A strong machine identity strategy, in which each piece of code entering the build environment is signed, enables greater efficiency, predictability and scalability of processes and policies. This will help to to align developer and infosec teams. This allows teams to self-service machine identities when needed, while having end-to-end automation of the machine identity lifecycle.
Organisations must also map out their entire software supply chain to gain visibility over every element they produce and consume, assessing what they have in their DevOps stack, and who has access to it.
Urgent action required
Organisations need to act urgently to protect themselves from future attacks by securing their software supply chain and developer build pipeline by ensuring each and every piece of code used is signed. While SolarWinds has made enterprises sit up and take note, many still do not understand the reason it was so successful, so they still aren’t factoring code signing and machine identity management into their defence strategies.
The only way organisations can protect themselves and their customers is to have a clear knowledge of every software running in the build environment.
Yana Blachman is a Threat Intelligence Researcher at Venafi
Main image courtesy of iStockPhoto.com