The Anatomy of the SolarWinds Attack Chain
Imagine there’s an attacker lurking inside your network right now. Do you have the ability to find out and respond before they can cause harm? Now imagine your adversary has privileged access to virtually every file and system in your IT environment and can impersonate any human, application or machine identity, at any time. Could you spot the attacker hiding in plain sight?
These are just some of the many questions security teams are asking themselves in the wake of the massive SolarWinds attack that leveraged a digital supply chain vector to potentially reach into more than 18,000 organizations around the world.
While details of the attack and its implications continue to surface, it’s clear that the compromise of identity and manipulation of privileged access was instrumental in the success of this attack. And today, there’s much to be learned from examining the tactics, techniques and procedures (TTPs) used by the adversary to achieve what The Washington Post described as “the computer network equivalent of sneaking into the State Department and printing perfectly forged U.S. passports.”
We asked Lavi Lazarovitz, head of CyberArk Labs, to help us deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk. For a deeper technical dive and guidance on risk mitigation, join our webinar on March 18 and save the date for a big-picture view of what major breaches like ‘Solorigate’ mean for both defenders and attackers on April 22 (U.S. registration, EMEA registration and APJ coming soon!).
Deconstructing the Three Major Stages of the SolarWinds Attack
Where It All Began
In early December 2020, several organizations discovered and reported breaches to their networks within a few days of each other. It didn’t take long for security and threat analysts to connect the dots, as the initial foothold into each of these companies was identical: a Trojanized update to a popular infrastructure monitoring and management platform – SolarWinds’ Orion. Soon, many other organizations and government agencies discovered similar infections.
But why Orion? “Because it’s connected everywhere – from switches and routers, to firewalls, virtualization infrastructure, Active Directory, storage management tools and more,” explains Lazarovitz. “All of these connections rely on credentials, which in most cases are highly privileged. Simply put, Orion has its ‘hooks’ in all facets of an enterprise, making it the perfect target for an adversary.”
Attack Stage 1: Infect the Orion Software Pipeline Infection
While it’s still unclear exactly how the adversaries first infected SolarWinds Orion, forensic evidence reported in the press indicates they worked hard to learn the company’s code structure and terminology before launching the attack. But how they managed to gain entry is inconsequential, since threat actors, especially well-resourced nation-state actors, will nearly always find a way to get inside. It’s also why defenders must always “assume breach.”
To establish a foothold into the organization, the threat actor compromised the “heart” of the CI/CD pipeline, where code is tested, wrapped, containerized and signed, then successfully changed SolarWinds’ source code. The attacker deployed malware, now infamously known as “SunSpot,” which ran with high privileges, scanning for Orion builds.
With surgical precision – and without tipping off developers or engineers – the malware changed source file code names (ever so slightly) to deploy a backdoor. Following the build update, the backdoor code was deleted and the original file names were restored.
Lazarovitz emphasizes the complexity of such an operation, noting, “The actor had to silence warnings in the code and make sure the deployment of the malicious code was flawless.” Making it seem as though they’d never been there was no easy task.
These revelations have prompted many organizations to re-examine the security of their own CI/CD pipelines, and particularly, pipeline orchestrators and infrastructure managers, since these assets have extensive privileged access. These organizations are asking their supply chain vendors to do the same.
Attack Stage 2: Target SolarWinds Customers
After a dormant period of about two weeks – an intentional pause that helped the attacker cover their tracks – the malicious payload started doing some reconnaissance and operation security checks.
One of these checks aimed to identify hashes linked to specific endpoint security agents and forensics tools that could expose the running malware. If an agent or tool on this “checklist” was identified in the environment, the malware attempted to terminate the agents or suspend itself, if unsuccessful.
However, if the malware did not find these specific hashes, or if it successfully terminated them, it moved to the next stage: calling home, dispatching commands from C&C servers and disabling any vulnerable endpoint security agents.
“Generally speaking,” Lazarovitz explains, “the level of privilege the malware has upon initial infection can spell the difference between an infected endpoint and an entire network takeover.” Enforcing the principle of least privilege across all endpoints can help prevent lateral movement, making it significantly harder for attackers to accomplish their goals. But in the case of this digital supply chain attack, the malware already had elevated privileges when it reached each Orion customer organization.
Note, with the benefit of 20/20 hindsight, credential theft protection policies protecting Orion’s credentials database may have slowed the attack down by requiring the actor to use tools and techniques that increase the chance of exposure.
But as it was, “Orion’s privileged credentials were accessible to the attacker once inside, and almost certainly used in the next stage of the attack,” says Lazarovitz.
Attack Stage 3: Privilege Escalation to High-Value Targets
Based on what’s been reported, the actor most likely harvested credentials stored in Orion’s database, such as those traditional Tier0 assets like Active Directory, firewalls and infrastructure and networking management software. This would enable rapid escalation of privileges. And with these powerful credentials in hand, the threat actor could have owned the targeted network right away.
“But here’s where it got interesting,” says Lazarovitz. The attacker began making moves to establish persistence, possessing sufficient privileges to not only add a backdoor account, but also an entire trusted tenant completely under their control. This provided continued access to the target network’s applications, services and data using the new trusted tenant accounts. Further, it eliminated the impact of any potential password changes by the organization and allowed the attacker to bypass multi-factor authentication completely.
Doing this required a mix of sophisticated methods, and most notably, the Golden SAML technique.
Using highly privileged credentials, the attacker successfully accessed and manipulated the victim organization’s SAML token-signing certificate and forged digital SAML tokens that provide single sign-on access to virtually any system and application in the environment, both on-premises and in the cloud. Since SAML token-signing certificates are almost never changed, the attacker could persist in the network for lengthy periods of time without fear of detection, and ultimately, achieve the intended goal.
“The Golden SAML technique highlights the fact that if the primary secret of the identity provider is compromised – for example, Active Directory Federation Services, then the threat actor ‘owns’ the source of truth and BECOMES their own identity provider. They can impersonate any user they want – no matter the user’s password, no matter the level of privilege and no matter if MFA is implemented,” says Lazarovitz. He stresses the importance of implementing strong Identity Security policies and controls that restrict privileged access to these Tier0 systems, reduce exposure and enable earlier detection.
To learn more about the Golden SAML technique, which was first identified by CyberArk Labs in 2017, visit the CyberArk Threat Research Blog.
The Right Frame of Mind: An Assume Breach Mentality
The vast majority of all cyber attacks involve the compromise of identity and manipulation of privileged access. The SolarWinds breach was no exception.
As traditional network security barriers dissolve, the ‘assume breach’ mindset has never been more critical. By assuming that any identity – whether human or machine – in your network may have been compromised, you can turn your attention to identifying, isolating and stopping threats and gaining privileged access and executing lateral movement, before they can do harm.