Inside SunBurst

Подробнее о видео

Inside the SunBurst Attack E048 2024 12 09
A Bit of Security for December 9, 2024
Last week I heard Tim Brown, CISO of SolarWinds, speak about his management of the SunBurst attack against SolarWinds, which suffered the iconic software supply chain attack. Tim characterized it that way to describe how the bad actors (Russia’s SVR hacking team) managed to replace a module in the Orion package with malicious code during the build process. We’re going to examine it to extract two lessons. The first is about securing your software build process. The second is about the capabilities of your anti-malware software.
To understand the magnitude of this hack, let’s review the timeline. The hack was revealed to SolarWinds by Mandiant in December of 2020. By then, three releases of the product had been corrupted, reaching back to October of 2019. Two of the domains used by the hackers were registered in August and December of 2019. The bad actors were in the company’s systems for 14 months before being detected.
While there, they altered the software build process. When you build a product, you have to compile the programs into a load module, test it, fix any defects, package it, verify the packaging, and ship it. That sounds like a metaphor, but back in the day shipping the product actually meant putting the software package on a reel of magnetic tape and physically shipping it. I delivered a release of the mainframe operating system MVS/XA to IBM’s Program Information Distribution (PID) along with Jack Martin. It occupied 71 reels of tape. What SolarWinds does is spin up a group of ten to thirty virtual machines to compile each of the modules and then kick off the build, verification, and packaging processes.
What the bad guys did is alter the template for the virtual machines. When you spin up a virtual machine, you don’t have to start from square one. You can design in certain capabilities, so the machine is ready to do the specific job you want it to do. You do this by building a template, which identifies those routines and data sources you are going to use in the process later. The virtual machines used to build the product had a template. The bad actors changed the template to add a service they created. That service looked for a particular piece of code, and when it found it, it would replace it with their malicious routine. The service would then turn off all compiler warning messages.
That’s the supply chain piece of the attack. The tests run on the source code show it to be correct and complete. The tests run on the output load module show it functioning as expected.
Now the idea of a supply chain attack implies that a supplier, a separate entity that ships software to your organization, had been compromised and they are sending you software that you may include in a separate product you build. That also was called third party risk, and that wider term includes anything that your organization would use either as a part of a new product or in the normal course of operations.
The first finding is to make sure you secure your software manufacturing process – know what the inputs are, verify any scripts, templates, models, or services you include regularly just like you would clean the shelves in your kitchen regularly.
The second finding concerns your antimalware software. Don’t believe the vendor’s claims wholesale. Verify then when you can. In the case of SolarWinds, they used a tool that supposedly ran advanced AI to detect unrecognized malicious behavior. Yet for at least fourteen months, the malicious actors were rewriting scripts, loading unverified software modules, resetting complier warning levels, and shipping code that was different in size from the code they built in development. Hundreds of times. Ask your vendor if their code would have caught SunBurst. And then, if they say yes, ask them to prove it.
That’s our Bit of Security for Monday, December 9, 2024. I’m William Malik. Be safe!
Inside the SunBurst Attack
A Bit of Security for December 9, 2024
SunBurst has two important lessons for us: supply chain security and security vendor claims. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #supplychainattack #SDLC #softwarebuild #AIforsecurity #BitofSec