A hell of a year capped off with Solarwinds

As the CIO of a cybersecurity company, the massive breach of Solarwinds through a supply chain attack has been keeping me up at night lately. Security and IT practitioners around the world did not have a restful time these last couple weeks and holidays as they responded across public and private organizations to understand the impact and scope. Let's take a look at the timeline of the Solarwinds supply chain attack: 

• December 8th: FireEye announces a breach involving their bespoke offensive security tools. During the investigation, they realize that Solarwinds Orion platform was how attackers go onto their network.
• December 14th: Solarwinds publishes two CVEs related to their Orion platform which enabled attackers to escalate privileges and run code remotely. Solarwinds announces that the affected versions could have potentially been deployed at 18,000 customers, including many of which are Federal government.
• December 14th: DHS orders directive to power down all ORION devices.
• December 15th: NSC activates PPD-41 to coordinate Federal agency response
• December 16th: FireEye finds killswitch and shuts down CnC, we still consider this an active breach situation across potentially thousands of organizations since the vulnerabilities enabled the ability to create persistence. 

This supply chain compromise enabled the attacker to deploy malware through someone else's software delivery mechanism. It seems targeted to US Federal agencies while also enabling access to corporate, state, and local entities. The update was digitally signed by the Solarwinds cert which begs the question of how they got access to that (insiders?). The download site was insecure but they still had to sign it to be trusted by Windows. The list of affected organizations now includes Microsoft, Treasury Department, US Department of Commerce, NIH, CISA, DHS, US Department of State, NNSA, DOE, three states, and the City of Austin. The impact of these breaches will not be known for some time. This points to the need (just like EternalBlue did) of modernizing our stack to reduce reliance on vendors with high rates of vulnerabilities such as Microsoft, Oracle Java and Adobe and to step up our pace of patching and ability to monitor anomalous user behavior.

This attack has every vendor working non-stop to understand any impacts to their supply chain and their customers. This type of attack has been around for a long time and with the consolidation of technical stacks and rise of IaaS, small compromises can have large surface areas. An open source Javascript library could include an XSS, a common binary could enable remote code execution vulnerabilities. We can make it harder for attackers to compromise these supply chains but as seen by this attack, persistent attackers can even digitally sign binaries to be trusted by operating systems and end users. 

To sum it up, it seems like while we were arguing about wearing masks, we got owned by the Russians.