SolarWinds & Accellion Breaches: Supply Chain Attacks Wreaking Havoc

When it comes to cyber security, it’s not possible to pinpoint the biggest threat against organizations globally. However, supply chain attacks are doing their best to earn that honor. In a supply chain attack, a threat actor infiltrates an organization’s system through a third-party provider or partner that has access to its data and systems. In fact, according to an article by National Defense Magazine, two-thirds of breaches are a result of a supplier or third-party vulnerabilities.

As more and more suppliers and service providers gain access to a company’s data, the organization becomes more vulnerable to these attacks. There have been numerous supply chain attacks on organizations around the globe. The SolarWinds attack and the Accellion breach are two of the most prominent examples of these attacks. So, let’s find out what really happened in these two cases, shall we?

DevOps Experience

Get in!

Here’s an opportunity for you to stand out from the crowd!

our weekly newsletter Cyber Times and become a part of our Cyber Resilient Community

The Story of the SolarWinds Hack

SolarWinds is a prominent software company that provides thousands of organizations worldwide with numerous technical services and system management tools for infrastructure and network monitoring. Considered as the biggest data breach of the 21st century, the SolarWinds attack has successfully made its place among the world-shaking events of the decade.

The breach occurred through the company’s IT performance monitoring system called Orion. Through this hack, the threat actors gained access to the systems, data and networks of thousands of SolarWinds customers who were using the Orion network management system for managing their IT resources.

How Did it Happen?

The hackers inserted malicious code into the Orion network management system, which was used by numerous government agencies and multinational companies globally. Due to the addition of this malicious code, the SolarWinds Orion Platform created a backdoor that allowed the hackers to access accounts and impersonate users of victim organizations.

The malware was capable of accessing system files and seamlessly blending in with legitimate SolarWinds activity without being detected. The hackers installed this malicious code into a new batch of software, which was sent out to customers by SolarWinds as an update at the beginning of March 2020. More than 18,000 customers of the company installed the update, allowing the malware to spread undetected. The hackers used this hidden code to access the IT systems of SolarWinds customers, using them to install even more malware.

Who Was Affected?

Multiple government agencies and commercial industry verticals around the world were affected by the infamous SolarWinds hack. According to an SEC filing by SolarWinds, around 18,000 of its customers were using the vulnerable versions of the Orion platform, which include:

  • SolarWinds Orion Platform Version 2020.2 HF 1
  • SolarWinds Orion Platform Version 2019.4 HF 5
  • SolarWinds Orion Platform Version 2020.2

Even several government departments in the US such as Homeland Security, Commerce, State and Treasury were affected by this breach. A reputable cyber security company, FireEye, is the first known victim of this breach and was also responsible for disclosing the attack in December 2020. Many other NGOs and Fortune 500 companies also fell victim to the breach.

Impact of SolarWinds Supply Chain Attack
(Source: Ars Technica)

When Did Everything Happen?

Here is the list of major events associated with the SolarWinds Hack:

  • 4th September 2019: Hackers accessed SolarWinds.
  • 12th September 2019: Hackers injected the test code and performed a trial run. They used a sophisticated injection source for inserting the SUNBURST malicious code into the Orion Platform software.
  • 20th February 2020: Hackers compiled and deployed the SUNBURST attack. 
  • 4th June 2020: Hackers removed the SUNBURST malicious code from SolarWinds systems.
  • 8th December 2020: FireEye, a cyber security company uncovered a breach in its systems and launched an investigation.
  • 12th December 2020: FireEye discloses that the breach was a result of a cyber attack on SolarWinds’ Orion Platform.
  • 15th December 2020: SolarWinds released a software fix.

Affecting thousands of organizations ranging from MNCs to government agencies, the SolarWinds hack has become the biggest example of the disastrous impact a supply chain attack can have. 

Analyzing the Infamous Accellion Breach

Accellion, a world-renowned company that specializes in secure collaboration and file-sharing software, suffered a zero-day attack targeting its File Transfer Appliance (FTA) software. Hackers exploited the vulnerabilities in the FTA software to launch attacks on numerous Accellion customers and partners. This supply chain attack has led to disastrous attacks on many well-known and prestigious companies worldwide. 

How Did it Happen? 

Hackers exploited four zero-day vulnerabilities in File Transfer Appliance (FTA) software in December 2020. The four vulnerabilities included: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104. The threat actors exploited these vulnerabilities to install an undetectable Web shell called DEWMODE on Accellion’s FTA app. This backdoor enabled hackers to exfiltrate data from the networks of the victim companies.

DEWMODE is specially designed to extract files available on FTA’s database. The attackers are also capable of erasing any traces of their activity once they have obtained the data they are looking for. A few weeks after the hackers stole the data via DEWMODE, some victims received extortion emails claiming to be from the CLOP ransomware operation.

Who Was Affected?

Perpetrators behind the Accellion breach have attacked many of its high-profile clients and customers. Some of the most famous victims of the breach include big names like Australian Securities and Investments Commission, Bombardier, Flagstar Bank, Kroger, Jones Day Law Firm, Qualys, Singtel, Reserve Bank of New Zealand, Royal Dutch Shell, Stanford University, Trinity Health, University of California and the University of Colorado.

Even though organizations from all industries have suffered due to this breach, it is believed that the healthcare industry is being hit the hardest. The U.S. Department of Health and Human Services has also become a victim of this breach. Also, at least seven other healthcare organizations in the US have been affected by the Accellion breach. Sensitive data belonging to multiple victims have been found posted on the FIN11-operated CLOP Dark Web site.

Supply Chain Attack's Victims' data Leaked on the dark Web
Data of the Breach’s Victims on the Dark Web (Source: Bank Info Security)

When Did Everything Happen?

Here is the list of major events associated with the SolarWinds Hack:

  • 16th December 2020: Exploit tripped FTA’s built-in anomaly detector on the device of a customer, who immediately notified Accellion, triggering an investigation.
  • 20th December 2020: Accellion released a patch to remediate two vulnerabilities found during the investigation.
  • 23rd December 2020: Accellion released a patch to increase the anomaly detector checks to one per hour.
  • 20th January 2021: Another exploit occurred.
  • 22nd January 2021: Accellion learned of the new exploit through multiple customer service inquiries and launched an investigation. It issued a critical security alert warning to its customers to shut down their FTA systems right away.
  • 25th January 2021: Accellion released a new patch to remediate the two new vulnerabilities found during the investigation. 
  • 28th January 2021: Accellion released a patch to increase the anomaly detector checks to one every 10 minutes.

Listed amongst the most damaging mega-breaches of all times, the Accellion breach has clearly proved how hundreds of giant organizations can be brought to their knees by exploiting a single vendor. 

The amount of damage done by these two mega-breaches has shaken the world of cyber security. In addition to their long-lasting impact on the affected organizations and individuals, these breaches have proved how beneficial an attack vector supply chain attacks can be for cyber criminals, making it a bigger threat.

So, take the necessary precautions now and make sure your organization doesn’t join the list of victims when another major supplier is breached in the coming times. 

Are You Cyber Aware? Take Our Quiz to Find Out

We’ll even give you your own Cyber Security Awareness Badge!

The post SolarWinds & Accellion Breaches: Supply Chain Attacks Wreaking Havoc appeared first on Kratikal Blogs.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs authored by Dhwani Meharchandani. Read the original post at: