The concept of trust is fundamental to cyber security. It is how cyber security professionals control access to private information. Trusted users and applications are allowed to access private information and those that are untrusted are not.

The SolarWinds attack demonstrated how this defense can be breached on an incredibly grand scale. Over 100 organizations were penetrated by Russian-state hackers that surreptitiously inserted malware into trusted software. Prestigious U.S. government agencies and Fortune-ranked corporations blithely installed the Trojan horse in their networks because they trusted its source.

< Back to Tag
Jan 14, 2022

Part 2: Security Blind Spots: How Trust Concealed the SolarWinds Attack

The concept of trust is fundamental to cyber security. It is how cyber security professionals control access to private information. Trusted users and applications are allowed to access private information and those that are untrusted are not. The SolarWinds attack demonstrated how this defense can be breached on an incredibly grand scale. Over 100 organizations were penetrated by Russian-state hackers that surreptitiously inserted malware into trusted software. Prestigious U.S. government agencies and Fortune-ranked corporations blithely installed the Trojan horse in their networks because they trusted its source. Even though the Russians were targeting large organizations, the SolarWinds attack carries a warning for SMBs. The same attack vectors can be used by other cyber criminals to breach an SMB’s defenses. In this article, we’ll explain how the SolarWinds attack defeated some of the most heavily protected networks in the world and how you can help your SMB customers to prevent it from happening to them.
Image

What is a supply chain attack?

The SolarWinds hack is an example of a supply chain attack where a hacker penetrates a target organization via a trusted third party. In this case, the Russian SVR foreign intelligence agency leveraged the trusted vendor/customer relationship between SolarWinds and a range of government agencies and corporations to penetrate those organizations. It did this by inserting malware into a SolarWinds product update. Once the customers installed the trojan horse, the SVR had a foothold in their networks. Trust is what makes a supply chain attack successful. The target organizations did not inspect the SolarWinds software with the diligence they would apply to other external software programs because it trusted the source. In fact, the product update was digitally signed by SolarWinds to indicate it hadn’t been tampered with. It isn’t clear exactly how the SVR gained access to the SolarWinds software development environment and managed to inject its malware into a product update. Based on reporting, it may have exploited vulnerabilities in Microsoft Office 365 and the Azure cloud service to access the SolarWinds network at least six months prior to distribution of the update. Clearly, the SVR hacking team, known as Cozy Bear, is an advanced persistent threat group with the discipline and resources to orchestrate sophisticated attacks without detection.
Image

SolarWinds attack wreaks havoc on over 100 organizations

SolarWinds software is widely used by Fortune-ranked companies, governments and nonprofits to monitor and manage their networks. It was an ideal vehicle for the SVR to access those organizations. It gave the SVR the potential to exploit up to 18,000 organizations around the globe. However, forensic analysis indicates the SVR chose to enter only about 100 high value U.S. targets, including: U.S. Government: Departments of Commerce, Justice, Defense, Homeland Security, Energy, State, Treasury, plus NIH Technology Companies: Microsoft, Intel, Cisco, Nvidia, VMware, NCR, SAP, Belkin, Checkpoint and FireEye Telecommunications: Cox Communications, Comcast, AT&T Consulting Firms: Deloitte The SVR’s objectives were espionage. Reports indicate it was able to read email sent and received by the target organizations. FireEye reported the hackers copied the company’s “red team” tools for probing cyber defenses. The full extent of the exploits has not been disclosed and it’s impossible to measure the damage done by the attack. Target organizations typically install SolarWinds software in the core of their networks, which is ideal for an attacker. From this foothold, it exfiltrated files and moved laterally into other systems. Cozy Bear moved slowly and methodically within its targets, taking care not to trigger any alarms.
Image Supply chain attacks can be orchestrated by less capable hackers than a nation-state and may target any type of organization. The simplest type of supply chain attack is perpetrated by stealing login credentials from a third party that has access to the target organization. Stolen or misused credentials were associated with 38% of attacks in 2020. This is the vector used against the Target department store chain in 2013, when point of sale systems were breached using login credentials stolen from an HVAC contractor. SMBs can be attractive for ransomware, fraud, theft of intellectual property, or as an avenue toward a larger downstream organization in a cascading supply chain. Hackers can realize a high ROI against SMBs when the cost to carry out a supply chain attack is relatively low. Certainly, stolen credentials provide hackers a very low-cost attack vector. Trust is the common attribute in the stolen credentials and trojan malware attack vectors. The target organization lowers its defenses for third parties that it trusts, and this presents the opening a hacker needs to carry out its crime.

Why do SMBs need to defend against supply chain attacks?


Three steps VARs can take to help their SMB customers

SMB managers may be tempted to disregard cyber espionage stories, thinking they aren’t applicable to them. However, the SolarWinds attack presents lessons that apply to organizations of all types and sizes. How can VARs help their SMB customers from falling victim to a supply chain attack, similar to SolarWinds? Here are three steps you can bring to your customer: Recognize trust model vulnerabilities – Use the SolarWinds example as an opportunity to educate your customer about the risks inherent in traditional trust-based security strategies. If some of the largest and most sophisticated networks in the world can be compromised, so too can their network. Adopt a zero trust strategy – First introduced by John Kindervag, Forrester Research, over a decade ago, the zero trust strategy combines multiple network segmentation technologies to give users and applications the least amount of access needed for them to do their jobs and tasks. Suggest your customer implement a strategy where no application or user is given carte blanche access to the IT infrastructure. Always verify – Fifty percent of the old adage “trust but verify” is still relevant and should be applied. Advancements in machine learning make it easy to detect when an application or user is exhibiting unusual behavior that may indicate an attack is underway. You can suggest your customer leverage these tools to add another layer of protection to their infrastructure. Image

Don’t be blinded by con artists

Supply chain hacks are the work of sophisticated con artists who exploit trusted relationships. The IT community must be vigilant in recognizing and defending against their attacks. The SolarWinds hack is a call to action for SMBs and large organizations, alike. VARs can help their SMB customers by raising awareness and providing sound recommendations for improving their security posture. An excellent starting point is to move from traditional trust-based network defenses to a modern zero trust strategy that can withstand and mitigate a supply chain attack.