Page 69 - Cyber Defense eMagazine April 2021 Edition
P. 69
The common perception is that serious data breaches need to involve some kind of security flaw, for
example, an application bug or vulnerability that attackers have discovered and exploited. The reality is
that initial breaches are often the result of nothing more than very effective social engineering, and most
supply chain attacks are no exception.
The first step of supply chain attacks will usually be to hit individuals at the organisation that produces the
target software with phishing emails to harvest user credentials. Standard phishing tactics such as
impersonating IT personnel or automated system emails are very effective here.
Once the attacker has compromised an account, they can begin moving laterally and gaining more
privileged access until they can reach their target – the application’s source code. From here, they will hide
malicious code within the product, and then ensure that the company unknowingly pushes this Trojanised
version out to it customers.
For this to be successful, the attacker needs their tampering to go unnoticed for as long as possible to give
them maximum access to the product’s userbase. To this end, the malicious code is likely inserted into
the product just before it is shipped out, minimising the chances of it being detected through any security
or quality assurance testing. In the SolarWinds case, the code was likely added to an update of its Orion
software just before it was pushed out.
Launching a Trojan into the supply chain
Simply getting to the source code is not sufficient – the adversary needs to gain authorisation to publish
as well. This means that, unless they are very lucky and find a privileged account with poor security, the
attacker will likely be spending several weeks on very slow, careful lateral movement to reach their prize
undetected. This will likely be a highly cautious approach that uses a “living off the land” strategy, exploiting
native tools as much as possible to fly under the radar. The SolarWinds actors compromised the
company’s Microsoft Office 365 environment, including access to email and SharePoint among many
other tools.
The adversary will also need to spend time researching the company and gaining a strong understanding
of its operations before they even commence the attack. Once they have finally reached the source code,
they will then need to be able to reverse engineer it to successfully add the malicious code without
impacting the application’s performance and leaving any obvious clues that something is amiss.
It’s worth noting that this kind of attack requires a considerable amount of time and skill to execute
successfully and has little direct return on investment for the adversary. As a result, supply chain attacks
are almost exclusively the work of state sponsored threat actors. With a regular wage from their nation
state paymasters, threat actors can comfortably spend several months planning and executing a supply
chain attack even without a direct return on investment. The SolarWinds attack appears to have taken at
least six months of work, for example.
When executed correctly, a supply chain attack is an extremely insidious technique that is extremely hard
to detect. SolarWinds was only eventually discovered because FireEye suspected something unusual was
happening and took the time to investigate. It’s very likely that many other software companies are under
the influence of similar attacks but have not yet discovered them.
How supply chain attackers hide in plain sight
The most devious thing about a supply chain attack is the way it hijacks legitimate software delivery to
reach a huge number of victims. Sunburst, the malware that infected SolarWinds’ Orion software, is
believed to have infected the servers of at least 18,000 customers.
69 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.