Advanced Persistent Threats (APTs) have long been a concern of the cybersecurity community. Well-organized teams with significant resources and targets they are not willing to give up attacking until their mission is accomplished are certainly not a threat to be underestimated. The tactics deployed by such groups involve a combination of attack types, from exploiting zero-day vulnerabilities to social engineering, gaining access, establishing a foothold and deepening access, and then remaining in a target’s systems undetected until realizing their goal.
The recently detected, high-profile SolarWinds hack is a typical APT attack. It has targeted several US federal departments, private companies and critical infrastructure organizations, going undetected since at least March of last year. The initial infection vector identified so far relates to a zero-day vulnerability of an update of SolarWinds Orion — a platform that provides full IT stack monitoring services — that permitted the attackers to gain access to network traffic management systems. FireEye, which detected the attack, discovered SUNBURST, a malware that was trojanizing the SolarWinds Orion updates.
As is common in APTs, the list of vulnerabilities exploited will probably grow, both in the supply chain and in the internal systems of the targeted entities, as the APT was deepening and escalating. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), other initial infection vectors are being investigated on top of the SolarWinds-related one. While the initial infection vectors may relate to more entities of the supply chain and/or vulnerabilities of the targeted entities themselves, when the actors of the attack were deepening their access, internal system vulnerabilities should have been exploited for increasing the attack surface. Cybersecurity reporter Brian Krebs has linked a recently identified VMware vulnerability to the SolarWinds attack as a possible attack escalation method, taking into account that access to internal systems has already been achieved through the SolarWinds vulnerability exploitation.
Many questions are yet to be answered as the investigation and…