How to Avoid a SolarWinds-Style Malware Attack

By Tom Tovar, CEO & Co-Creator, Appdome

In an earlier article, I suggested that the Securities and Exchange Commission's (SEC's) disclosure rules be used for something else: remediation. Today, I want to address another big question: Was it really a supply chain attack, as the SEC claims?

The SEC Indictment in a Nutshell

On Oct. 30, 2023, the SEC filed a complaint against SolarWinds and its chief information security officer (CISO), Timothy Brown, charging "fraud and internal control failures" in connection with a major cybersecurity incident involving the company's flagship product. In its complaint, the SEC suggested that the source of the attack was a "supply chain" attack.

What's a Supply Chain Attack?

A supply chain attack is when the attacker exploits a vulnerability in third-party system or software to gain unauthorized access to an organization's systems or infrastructure. Then, attackers use the compromised third-party software or systems to inject malware onto the organization's systems and infrastructure. For it to be a supply chain attack, the attacker must exploit the third-party system or software.

The SolarWinds Attack

The SEC explained the root of the SolarWinds' attack as follows:

"SolarWinds had a known vulnerability that allowed access to the Company's virtual private network ('VPN') through unmanaged devices such as cell phones and laptops that were neither owned nor operated by the Company. ... [Essentially,] a user with credentials could evade SolarWinds' data loss prevention software by logging on to SolarWinds' VPN network from a [BYOD] device that was not owned or managed by the Company's information technology department."

It's typical to have unmanaged bring-your-own-device (BYOD) mobile phones connected to a company's infrastructure via a VPN. That's not a "vulnerability" but a standard part of enterprise mobility infrastructures. For me, the more important bit comes down to this statement by the SEC:

"Additionally, SolarWinds did not follow its existing Enterprise Security Standards and Guidelines requiring client device integrity checks [before the use of] the VPN."

Using mobile device integrity checks prior to allowing connections to a VPN definitely would have helped. If the integrity checks are sophisticated enough to detect the presence of malware (and the injection of packages via the VPN), there might not have been an exploit to discuss.

How to Avoid the SolarWinds Malware Attack

There are three ways to avoid a SolarWinds malware attack.

First, follow the recommendation of one SEC witness, known as Network Engineer D, and use "certificates for machine authentication," to allow full access to "verified/trusted devices ... under IT control," while allowing others using the VPN to have "access to less resources." In other words, use an advanced mobile EDR defense method of embedding a client-level certificate in the VPN app (or any other mobile application on the subject device). When the VPN app connects to the enterprise network, it provides the certificate in the TLS handshake to allow the infrastructure to verify legitimate requests and block or restrict access from other clients. This class of defense can be enriched with deep device integrity checking and malware telemetry, all to provide "safe" or "at-risk" session data inside the VPN.

Second, follow the advice of the SEC and use "existing internal guidelines requiring client device integrity checks" before granting access to critical systems and infrastructure. The problem here is that "integrity checks" often don't go far enough, or worse, only work with managed devices — which (in this case) wasn't the source of the attack. Legacy integrity checks look for simple things like jailbreak, root, and the tools that are used to create these states. Deep integrity checking can be achieved but needs to cover the gamut of growing attack vectors in mobile apps and on mobile devices including malware, spyware, accessibility abuse, remote access Trojans (RATs), RDC apps, man-in-the-middle (MitM) attacks, social engineering attacks, geolocation spoofing, and more.

Third, you can extend the deep device integrity checks into any (all?) mobile applications used on mobile devices in your enterprise, eliminating the single point of failure or single source telemetry from stand-alone, isolated, mobile agents, or mobile threat defense (MTD) apps on the device. A better approach would be to enlist all enterprise mobile applications in the mobile defense model, as (a) the mobile application is likely the target of the attack, and (b) attackers will use the different ways each mobile application accesses, retrieves, stores, and communicates with other elements of the device, network, and back end. By enlisting all mobile applications on managed and unmanaged mobile devices in the defense model, all doors to the attackers will be guarded and you can keep your network safe from SolarWinds-class attacks.

Conclusion

Between SolarWinds and its customers, the exploit was definitely a supply chain attack. But, looking internally to SolarWinds, the VPN wasn't exploited. The attack came from BYOD devices connected to VPN, a standard configuration used everywhere. SolarWinds teaches us that organizations need deeper inspection and distributed detection models to keep the infrastructure safe from malware. On managed and unmanaged devices alike, legacy device integrity checks wouldn't be enough, as they provide limited detections and only work for managed devices. What's needed is something more — a layered defense model that enlists all mobile applications in the detection network, deeper device inspection, and "safe" and "at risk" session data inside the VPN connection.

About the Author

Tom Tovar is the co-creator of Appdome, the only fully automated unified mobile app defense platform. Today, he's a coder, hacker and business leader. He started his career as a Stanford-educated, tech-focused, corporate and securities lawyer. He brings practical advice to serving as a board member and in C-level leadership roles at several cyber and technology companies.