Diagram depicting the life cycle staged approach of an advanced persistent threat (APT) which repeats itself once complete.

How to avoid unleashing malware on your customers, unlike SolarWinds

The SUNBURST malware, likely of Russian origin, was a remarkable and devastating breach of cybersecurity.  The data gathered will likely advantage the hackers and their government for years to come. If printed and stacked, the data gathered would be taller than the Washington Monument, per cyberconflict professor Thomas Rid.  

Homeland Security Adviser Thomas Bossert's op-ed in the New York Times is terrifying.  In it, he states, "the magnitude of this ongoing attack is hard to overstate...it will take years to know for certain which networks the Russians control and which ones they just occupy."  Below is a sample of the U.S. government that was infiltrated:

  • Department of Agriculture
  • Department of Commerce
  • Department of Defense
  • Department of Energy
  • Department of Health and Human Services
  • Department of Homeland Security
  • Department of State
  • Department of the Treasury

The types of commands that could be executed on the system include:

  • Registry operations (read, write, and delete registry keys/entries)
  • File operations (read, write, and delete files)
  • Run/stop processes
  • Reboot the system

How did the hack happen?

This was not a direct attack of these systems. Instead, the hackers infiltrated a trusted vendor (SolarWinds; NYSE: SWI), and that vendor's software was installed on systems. This is what is known as a Supply Chain Attack — the vulnerability is upstream of the eventual hacked software you install on your systems.    

While we can only speculate, some investigators have found that SolarWinds developers had made four mistakes: 1) they accidentally saved the FTP credentials for downloads.solarwinds.com to a git repository, 2) the password for those credentials was the weak 'solarwinds123', 3) that git repository was accidentally left public on GitHub, and 4) the FTP server allowed write access to the account with the weak password. I've noticed when I bring this up, most developers roll their eyes and mock. However, in my experience, this is an extraordinarily common mistake. Of all the security audits I've done for our DevSecOps offering, the supermajority had poor git hygiene and security practices such as this.

Don’t become a Supply Chain Attack vendor

Metal Toad is surrounded by third party vendors in our work with clients, and we ourselves are a third party vendor. I'm constantly paranoid that we ourselves could become the weak link in the chain. Below are some actions we take and all vendors should take too, to avoid becoming a vector.

  • Define a role and appoint an individual who is explicitly accountable for assessing vulnerabilities in the supply chain and build/deploy cycle.
  • Establish a methodology to create automated and tailored scanning of the SDLC toolchain (such as upon every pull request and every merge).
  • Scan for hard coded passwords and other security threads on every major event during a build/deploy cycle (most static code analysis tools do this).
  • Ensure all credentials are stored in a separate vault system, such as AWS Secrets Manager
  • Ban the use of username/password credentials, and enforce at minimum the use of keys.  Scan and audit this enforcement regularly.
  • Strictly scan and monitor, with both technology and human labor, often and obsessively, the security of servers used to distribute builds to customers.

Metal Toad offers a variety of rapid threat assessments, code audits, and management feedback offerings to assist our clients with improving their security and resilience  position. Please reach out today to learn more.

Image by Wikipedia.org

Date posted: January 12, 2021

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <cpp>, <java>, <php>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Metal Toad is an Advanced AWS Consulting Partner. Learn more about our AWS Managed Services

About the Author

Tony Rost, Chief Technology Officer

Tony believes that customers' technology problems can be solved with deep respect, sound data, strong process, and adventurous teams. He uses data-driven methods to improve all stages of the development lifecycle – from design, to beta, to final deployment. With numerous ties to the open-source community, Tony also works to solve client problems faster and more effectively with well-tested open-source solutions.

Several dozen products have shipped under his guidance over the past 14 years: collaborative internal sites at Nike, social networking integrations with Adidas, server-monitoring websites at Hewlett Packard, open source contributions to Drupal, entertainment sites such as The Emmys, community sites such as FearNET, and HTML5 apps for tablets and Smart TVs.

Have questions?