Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Adam Caudill
Adam Caudill
Connect Directly
E-Mail vvv

Why the Weakest Links Matter

The recent FireEye and SolarWinds compromises reinforce the fact that risks should be understood, controls should be in place, and care should be taken at every opportunity.

A few days ago, FireEye made a stunning announcement: Its network had been breached by attackers backed by the Russian government. Now we know that there are even more victims. SolarWinds, a popular provider of tools to manage networks and IT systems, appears to be the vector the state-backed attackers used to get in. Its customer list is a who's who of major corporations, claiming more than 400 of the Fortune 500, not to mention an extensive list of US government agencies.

Related Content:

Concerns Run High as More Details of SolarWinds Hack Emerge

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

It's now reported that the US government has been breached by the same attackers, and FireEye has stated that it is seeing attacks against "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East." The scope of the attack is still far from clear, and the list of those known victims is growing steadily. For the US government, the list has expanded to a number of departments, including State, Defense, Homeland Security, Treasury, and Commerce, with possible impact elsewhere, including some vital to national security, such as the National Security Administration and Las Alamos National Laboratory. 

In a rare move, the Cybersecurity & Infrastructure Security Agency released an emergency directive to shut down SolarWinds Orion systems immediately. This is a move to protect these important networks, though it comes with its own problems, losing the monitoring and services provided. During an incident like this, a clear line of sight into network traffic, logs, and system activity is vital to determining impact; by leveraging these systems in the attack, the malicious actors have compounded the problem for those potentially affected. 

SolarWinds boasts a customer list of more than 300,000 entities — though based on an Securities and Exchange Commission filing, about 33,000 of those customers are using the affected Orion suite of products and 18,000 of those may have been affected. While 18,000 possibly impacted is far better than 300,000, it's still hard to overstate the possible effects of this attack. The value of information that may have been stolen is incalculable, and the results of this attack could be felt for years.

While there is much to be learned, some things are already becoming clear, including the mechanism that the attackers used to launch their attacks — inserting malicious code into an application update. Software supply chain attacks have been a major concern, and have been used in the past to great effect. Crafting a malicious update, especially one that includes proper code signing, is complicated, and often requires deep access to the vendor's development systems. 

Developer machines, source control management systems, build servers, or even sites that developers download tools from may be compromised, giving an attacker an entry point to inject malicious code. Too often, these are the weakest links in the chain, and attackers will always focus on the weak links. There's no need to spend the time and effort to attack the hard targets when there are easier options available; attackers — especially those that work for state-backed operations — have deadlines too.

Due to the nature of software development, these systems too often don't have the level of monitoring, access controls, and security hardening that other systems in a network do. While this makes troubleshooting easier for developers, it also makes it easier for attackers to get in and to remain undetected while they explore and insert their backdoors.

While details of how the attackers were able to backdoor the software updates delivered to customers are scarce, a few things have come out: The attack seems to have started with SolarWinds' email and the attackers collecting sensitive information; the attackers then compromised the build systems used for the Orion products — this would allow them to inject the malicious code into the product without it being added to the source code management system. 

Compromising the SolarWinds' build system in turn allowed attacks against their customers, such as FireEye; the data stolen from FireEye and other victims could potentially be leveraged to attack others, or even create new backdoors and malicious updates. One breach leads to another, and may lead to yet more. Attacks like this can have ripple effects that endure and spread surprisingly far.

For instance, as recently as earlier this year, a malicious change made to a single file, SolarWinds.Orion.Core.BusinessLayer.dll, distributed as a hotfix to the application affected untold business and agencies around the world.

There are always many lessons that can be learned from events like this, and as the story continues to become clearer in the days and weeks ahead, more opportunities to learn will likely be exposed. One clear lesson that the community has been discussing for years: Supply chain attacks can have a truly massive impact and should be carefully considered.

For a company that releases software that is used on its customers' networks, ensuring that it doesn't cause those customers harm is a sacred duty. While Hippocrates may or may not have used the exact phrase "first, do no harm," it's still an important consideration for all those that have trust placed in them, medical or otherwise. There is a moral duty to protect customers, and it should be taken seriously. This is not to lay blame at the feet of anyone involved (other than the attackers) but is meant as a reminder of the importance of finding the weak links and fixing them.

Any device, system, application, or service that can result in malicious code being added to a software release should be carefully monitored, secured, and treated with the utmost care to minimize the risk to customers. Trusting, for example, a build server to work and be secure without the proper caution can lead to disaster. Trusting, for example, a developer's laptop to be free of malicious influence can lead to disaster. Trusting development systems without applying the proper security controls places everyone at risk.

While perfect security is an impossible goal, risks should be understood, controls should be in place, and care should be taken at every opportunity to provide the safest possible software.

Adam Caudill is a principal security engineer at 1Password, and has 20 years of experience in research, security and software development. Adam's main areas of focus include application security, secure communications and cryptography. He is also an active blogger, speaker ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS (Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.