by Steve Singer
The massive SolarWinds cyberattack that was revealed in the closing weeks of 2020 has had an impact on thousands of organisations around the world. From the US Treasury Department and Homeland Security to software and mining companies, organisations are coming to terms with data losses and disruptions.
These types of attacks are sophisticated and targeted in nature. Cybercriminals aim to compromise the supply chain of a software vendor with the objective of compromising the infrastructures of their customers and suppliers.
The attacks are particularly worrying for IT security teams because they are very difficult to identify or prevent. Even if a software vendor is using digitally signed updates and serving them over encrypted channels, cybercriminals can still find weaknesses in the distribution infrastructure.
Once a weakness has been identified, the cybercriminals work to compromise the vendor’s software build or update processes. If successful, they are then able to Include malicious code within seemingly normal updates that are then pushed out to unsuspecting customers and suppliers.
A supply chain attack of this type is particularly dangerous because it allows an attacker to potentially compromise a large number of organisations at the same time. Also, the attacks succeed because they take advantage of the inherent trust that exists between software vendors and their customers.
The SolarWinds attack
The SolarWinds cyberattack, the extent of which is still yet to become fully clear, is one of the most significant examples of a supply chain attack ever experienced around the world.
Attackers infiltrated the company’s Orion IT monitoring and management software which runs in a privileged mode within the IT environments of the company’s clients.
This meant the attackers had extensive access to data stores and applications on customer networks. It has been estimated that around 18,000 organisations, including some in Australia, received the malicious updates.
How Zero Trust can help guard against supply chain attacks
While preventing such a supply chain attack is extremely difficult, taking a Zero Trust approach to network security can reduce the chance that an organisation will fall victim.
Zero trust helps to minimise the overall attack surface by protecting individual components within an IT infrastructure rather than an entire network. This helps to stop lateral movement by attackers that was a feature of the SolarWinds attack.
Zero Trust also helps to stop unknown attacks before they can become established within an infrastructure. AI-powered tools can be deployed that look for activity that is out of the ordinary and could be a sign that an adversary has gained access to the infrastructure. Security teams can then be notified to carry out closer inspection.
For the organisations that fell victim to the SolarWinds attack, there are some steps that should be taken to reduce the likelihood of similar events in the future. These steps include:
- Review your entire IT infrastructure to determine whether you are running vulnerable SolarWinds Orion servers. The period between March and August 2020 was when infected patches were most likely delivered. If patches were received during this time, particular care needs to be taken.
- Determine whether your servers have been infected with FireEye’s YARA rules. This will determine whether any of the backdoors that were used as part of this attack now exist within your network. If so, they could continue to be used to extract data.
- Isolate, disconnect or power down any infected systems. This is important to prevent further activity by attackers and to reduce the likelihood that other data stores will become compromised.
- Examine activity logs to identify any potential command and control activity or lateral movement from infected systems. These events are clear signs that attackers have gained access to your infrastructure.
- Reset all credentials used by SolarWinds Orion and associated services. This will reduce the value of any that have been stolen by attackers and reduce the chance of further intrusions.
While events on the scale of that experienced by SolarWinds are thankfully rare, supply chain attacks are likely to continue to be mounted. By ensuring IT security teams have a clear understanding of the threat and what needs to be done to minimise it, organisations will be best placed to withstand future incidents.
Steve Singer is the Regional Vice President and ANZ Country Manager, Zscaler. For more information visit www.zscaler.com