| Researchers December 23, 2020
December 23, 2020
By Hank Schless
On December 17, CISA released an alert about an advanced persistent threat (APT) that compromised a number of U.S. government agencies, U.S. technology and accounting companies, and at least one hospital and one university.
The cyberattack was executed by injecting malware into a software update from network management software company SolarWinds, which has over 18,000 customers. By injecting malicious code into the SolarWinds Orion product, cyberattackers were able to create a backdoor into the networks of an unknown number of SolarWinds customers.
This backdoor gave the threat actors, who investigators speculate are state-sponsored, the ability to exfiltrate files, execute code, profile the infiltrated system, reboot the machine and disable system services. The threat actors were also able to make any traffic look like typical network traffic for this type of management tool.
This incident is an example of a software supply chain attack. As with any product, software has a supply chain behind it from initial development through delivery to the customer. Just like if someone were able to install microphones in pen caps to eavesdrop on millions of daily private conversations, a software supply chain attack can enable an attacker to distribute malware to a massive number of organizations all at once.
This particular supply chain attack serves as a powerful reminder of how attacks from unexpected angles can have wide impacts. From the threat actors perspective, a software supply chain attack is a highly efficient tactic. By infiltrating just one provider’s systems, it could give them access to the infrastructure of thousands of organizations.
In order to get as far as they did in this case, the threat actors followed the classic cybersecurity kill chain. While it’s not yet known how SolarWinds was initially compromised, it appears likely that the attackers gained access using login credentials stolen through a phishing campaign.
With the stolen credentials, the threat actors were able to infiltrate the infrastructure in order to integrate malicious code into the Orion software updates. Then, as a result of the standard software update procedure, thousands of customers unknowingly deployed a backdoor into their organizations’ networks. Since the investigation is still ongoing, we don’t yet know the number of organizations that were attacked and the full extent of the damage.
The cybersecurity attack chain can be used by attackers targeting any platform to which software is delivered. This is applicable to any endpoint including tablets and smartphones in addition to desktops and laptops.
In order to mitigate the risk of this type of attack, organizations must implement Zero Trust across their entire infrastructure. Zero Trust grants access based on the identity of the individual and their device, plus other attributes and context (e.g., time/date, geolocation and device posture), and adaptively offers the appropriate trust required at the time.
What this software supply chain attack shows is that you can’t trust any device or individual to access your systems before proving their identity and device are free of compromise. One way organizations create that extra layer of authentication is through multi-factor authentication (MFA) or a passwordless approach. However, since both of these strategies rely on a secondary authentication device, which is frequently a mobile device, neither one is a silver bullet.
In order to execute a true defense-in-depth security strategy that follows the principles of Zero Trust, organizations must secure their mobile devices with the same level of priority as traditional endpoints such as desktops and laptops.
A similar supply chain attack on mobile apps could have had an even broader and more devastating impact than the Solarwinds hack.
If cyber attackers infiltrated the developer of a widely-used mobile app and injected malicious code into the next app update, hundreds of millions of mobile users could be compromised. Since we rely on our mobile devices for countless personal and work functions every day, we see them as extensions of ourselves and trust them to be inherently secure. The SolarWinds attack highlights the need to monitor and protect everything that touches your infrastructure – especially from third party app vendors.
Since we all thrive on having the most up-to-date apps, we rely on automatic updates from the iOS App Store and Google Play Store to make sure we don’t have to think about manually updating our apps. Because cyberattackers know we trust automatic updates, they could use them against us to inflict severe damage in a mobile software supply chain attack.
Mobile endpoints present a unique risk surface to IT and security teams across every industry. As such, those teams need to ensure security for those devices meets specific requirements unique to mobile operating systems.
One of the difficulties of securing smartphones and tablets stems from the number of apps the typical end user has, lack of visibility into what permissions those apps have and how they access, handle, and transfer data on the device. Security admins need a way to make informed decisions about whether they permit employees to use specific apps on their devices without invading their privacy.
As part of the Zero Trust architecture, security admins also need to be able to detect compromised mobile devices that could be exploited, rendering MFA useless. If the attackers are able to subvert the device, they will have an all-access backstage pass to your infrastructure.
The other way they can gain that level of access is to phish for credentials. Mobile phishing is a unique issue because of the number of ways that an attacker can deliver phishing attacks to mobile users. SMS, iMessage, e-mail, third party chat apps, gaming and even dating apps are all places where mobile phishing links can be delivered.
Phishing is also the primary risk that leads to data breaches and ransomware attacks, and mobile devices make it easier for attackers to socially engineer targets. The hybrid work and personal nature of smartphones and tablets puts mobile device users at higher risk of a phishing attack. In order to make sure corporate logins are not compromised through personal channels, such as if a link to a fake Office 365 login page was sent via WhatsApp, organizations need to have mobile phishing protection in place.
This software supply chain attack serves as a strong reminder that we cannot inherently trust anything that has access to internal corporate data or infrastructure. Organizations must adopt a Zero Trust architecture in order to ensure all devices, individuals, and third-party software is free of malicious content. IT and security teams need to prioritize security for all endpoints, from tablets and smartphones to desktops and laptops, when securing their organization’s infrastructure.
Learn more about Zero Trust for mobile endpoints here
Hank Schless Senior Manager, Security Solutions