January 26,2021

PUF is a Hardware Solution for the Sunburst Hack

On December 14, 2020, SolarWinds, which provides network monitoring software to the US government and private businesses, reported one of the largest cyberattacks in history, breaching the data of as many as 18,000 organizations and companies. The so-called ‘Sunburst’ attack by a still unknown group probably backed by a foreign government began in March 2020 and penetrated US intelligence and defense organizations as well as companies such as Microsoft and Cisco Systems.

Because Sunburst went undetected for so many months, cybersecurity experts are still assessing the impact and whether the attack has been fully contained. Former US Homeland Security Advisor Thomas P. Bossert warned that evicting the attackers from US networks may take years, allowing them to continue to monitor, destroy, or tamper with data in the meantime. While few have attempted to evaluate the cost of recovery, it’s certain to be in the billions of dollars. US Senator Richard Durbin described the attack as a declaration of war.

What were the exploited vulnerabilities?

The hackers took advantage of lax security at SolarWinds. The vulnerability vector exploited is a weak and possibly leaked password to an FTP server.

After establishing a foothold in SolarWinds, the attackers modified the source code of Orion software updates to include backdoor malware, which was compiled, signed, and delivered through an existing software patch release management system. The exploited flaws include untrusted open-source and third-party software, weaknesses in code signing and improper code integrity checks as the malware passed through the software development lifecycle.

As users installed the SolarWinds Onion update Trojan, the attackers gained a backdoor to enter target networks, infiltrate Microsoft Office 365 accounts, forge Security Assertions Markup Language (SAML) tokens to masquerade as legitimate users and abuse single-sign-on (SSO) federated authentication mechanisms to gain escalated privileges and illegal access to additional on-premise services as well as to cloud services.

The main approaches to avoiding breaches by Sunburst-like hacks are as follows:

  • Strengthening development system and update server security by preventing the exploitation of software-distribution vulnerabilities
  • Reducing organizational software supply chain risks by prohibiting malware access to the attackers’ C2 (command-and-control) channels and to limit credential abuse.