Thought leadership. Threat analysis. Cybersecurity news and alerts.
Extent of the Supply Chain Attack on SolarWinds Orion Platform Software
In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.
What Is a Supply Chain Attack?
Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.
In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.
Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”
The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.
Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.
Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.
“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”
According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.
FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.
According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.
In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."
“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”
Mitigating Measures Against Supply Chain Attack
In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.
In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.
If isolation isn’t possible, the following mitigating measures should be taken:
Lessons Learned Four Years After Dyn DDoS Attack
One of the perpetrators of the massive distributed denial-of-service (DDoS) attack that brought down the domain name system (DNS) provider Dyn and major websites pleaded guilty.
In a statement, the U.S. Department of Justice said that on October 21, 2016, the individual, who was a minor at the time, pleaded guilty to creating, in collaboration with other individuals, a botnet that launched several DDoS attacks and impacted the DNS provider Dyn (now owned by Oracle), as a result, taking offline for several hours a number of websites, including the websites of Sony, Spotify, Amazon, Twitter, PayPal, and Netflix.
What Is a DDoS Attack?
A DDoS attack is a type of cyberattack that overwhelms an online resource, such as a website with malicious traffic, taking down the website offline, making it unavailable to legitimate site visitors.
In overwhelming an online resource or online platform with malicious traffic, attackers use a botnet. A botnet refers to hijacked computers, including Internet of Things (IoT), and controlled by the attackers to perform malicious activities including DDoS attacks.
Based on court documents, in September and October of 2016, the attackers, including the one who recently pleaded guilty, created a botnet, which was a variant of the botnet called “Mirai,” in launching the DDoS attacks that resulted in taking down Dyn. The Mirai-variant botnet hijacked IoT devices including video cameras and recorders and turned them into “zombie robots” in launching the DDoS attacks.
"We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a statement about the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
Role of Domain Name System (DNS) Resolver
Domain Name System (DNS) is one of the infrastructural services that most modern websites critically rely on when servicing web requests.
In searching the internet, users type into the web browsers words such as espn.com. Web browsers interact with Internet Protocol (IP) addresses – referring to addresses that are too complex for users to memorize such as 192.168.1.1 (in IPv4), or more complex IP addresses 2400:cb00:2048:1::c629:d7a2 (in IPv6).
What DNS does is convert these domain names, for instance, espn.com into IP addresses so that web browsers can load the web content. This eliminates the need for users to memorize complex IP addresses. DNS resolver like Dyn, meanwhile, initiates the process that leads to a domain name being translated into the necessary IP address.
DNS resolvers, also known as DNS providers, aren’t immune to cyber risks such as DDoS attacks as shown in the Mirai-Dyn incident. The Mirai-Dyn incident also showed that the reliance on a single third-party DNS resolver like Dyn led to taking offline the websites relying solely on a single DNS resolver.
In the study "Analyzing Third Party Service Dependencies in Modern Web
Services: Have We Learned from the Mirai-Dyn Incident," a team of Carnegie Mellon University researchers found that despite the highly publicized Dyn outage, for the period of 2016 to 2020, 89% of the Alexa top-100K websites critically depend on third-party DNS providers, that is, if these DNS providers go down, for instance through DDoS attacks, these websites could suffer service disruption.
The Carnegie Mellon University study also found third-party critical dependencies are higher for lower-ranked websites. The Carnegie Mellon University researchers added, “Moreover, we observe that redundancy decreases with popularity; i.e., more popular websites care more about availability as compared to less popular ones.”
The DDoS attack on Dyn in 2016 showed that third-party DNS providers aren’t immune to cyber risks such as DDoS attacks that are faced by small organizations.
One lesson out of the DDoS attack on Dyn in 2016 is the need to have a backup DNS resolver or provider. Twitter, for instance, added redundancy or backup by deploying a private DNS in addition to Dyn (now Oracle). Only a few organizations, however, can do what Twitter did as many can’t afford a private DNS infrastructure.
According to Carnegie Mellon University researchers, only a small fraction of websites have DNS infrastructure backup due to the following reasons:
DNS Amplification DDoS attack hit Dyn in 2016. Since DNS is UDP based, it opens the door to IP spoofing and amplification attack. In IP spoofing, attackers falsify the source IP header to mask their identity. UDP-based DNS also allows for an attack amplification technique in which 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.
DDoS protection is available against DNS Amplification DDoS attacks. Imperva’s DDoS Protection for DNS is the first destination for all DNS queries. “Acting as a secure proxy, Imperva prevents illegal DNS queries from reaching your server while masking it from direct-to-IP network layer attacks,” Imperva said in a statement.
Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million
The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.
The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.
Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”
"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”
Right to be Forgotten
The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.
The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.
Canada’s Major Data Breach
In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.
A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.
The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack.
Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.
Personal Health Information Protection Act (PHIPA)
On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.
The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.
“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”
Steve E. Driz, I.S.P., ITCP