On December 14, 2020, SolarWinds, which provides network monitoring software to the US government and private businesses, reported one of the largest cyberattacks in history, breaching the data of as many as 18,000 organizations and companies. The so-called ‘Sunburst’ attack by a still unknown group probably backed by a foreign government began in March 2020 and penetrated US intelligence and defense organizations as well as companies such as Microsoft and Cisco Systems.
Because Sunburst went undetected for so many months, cybersecurity experts are still assessing the impact and whether the attack has been fully contained. Former US Homeland Security Advisor Thomas P. Bossert warned that evicting the attackers from US networks may take years, allowing them to continue to monitor, destroy, or tamper with data in the meantime. While few have attempted to evaluate the cost of recovery, it’s certain to be in the billions of dollars. US Senator Richard Durbin described the attack as a declaration of war.
What were the exploited vulnerabilities?
The hackers took advantage of lax security at SolarWinds. The vulnerability vector exploited is a weak and possibly leaked password to an FTP server.
After establishing a foothold in SolarWinds, the attackers modified the source code of Orion software updates to include backdoor malware, which was compiled, signed, and delivered through an existing software patch release management system. The exploited flaws include untrusted open-source and third-party software, weaknesses in code signing and improper code integrity checks as the malware passed through the software development lifecycle.
As users installed the SolarWinds Onion update Trojan, the attackers gained a backdoor to enter target networks, infiltrate Microsoft Office 365 accounts, forge Security Assertions Markup Language (SAML) tokens to masquerade as legitimate users and abuse single-sign-on (SSO) federated authentication mechanisms to gain escalated privileges and illegal access to additional on-premise services as well as to cloud services.
The main approaches to avoiding breaches by Sunburst-like hacks are as follows:
- Strengthening development system and update server security by preventing the exploitation of software-distribution vulnerabilities
- Reducing organizational software supply chain risks by prohibiting malware access to the attackers’ C2 (command-and-control) channels and to limit credential abuse.
How a PUF can protect against Sunburst-like attacks
A root of trust (RoT) is a set of functions implemented in hardware that is always trusted by a device’s operating system. It contains keys used for cryptographic functions and enables a secure boot process. A trusted platform module (TPM) is an example of a RoT. The US Department of Defense (DoD) has required that its new computer assets include TPM version 1.2 or higher. DoD aims to use TPM for device identification, authentication, encryption and device integrity verification.
A physical unclonable function (PUF) can further enhance RoT security. A PUF is a physically-defined “fingerprint” that serves as a unique identity for a semiconductor, with tamper-proof qualities for secure authentication. The most secure implementation of a RoT is in hardware, where it is immune from malware attacks. For this reason, a chip-based PUF can provide a strong foundation for security.
We believe that PUFs will play a key role in mitigating Sunburst-like hacks thanks to their ability to perform digital certification and identity authentication. A PUF based RoT can play a key role in the following ways:
- Preventing unauthorized access to a software development system and servers. A PUF-based RoT solution can work with Microsoft authentication protocol (e.g., NetLogon) or another password-less open authentication standard like FIDO (Fast Identity Online) and facilitate stronger multi-factor authentication based on signature creation with an authentication key pair.
- Ensuring source code integrity even in the developer’s platform. Hackers entered SolarWinds’ system and its developer platform to embed the Trojan into its code library. If an integrity check had been deployed for version control, SolarWinds engineers could have discovered their codes had been changed. A PUF key can be tagged with codes to create a hashed digest to secure the integrity of the source code.
- Securing confidentiality and integrity of the updated program. Once the integrity of code libraries is ensured, the integrity of the final program is secured. Then, to update the user’s program through OTA (online-trust-architecture), the program needs to be encrypted and hashed so that users can receive the correct program. Crypto engines inside a secure boundary of a chip enabled with a PUF can generate keys to perform encryption and integrity functions.
Can we protect against future attacks?
It’s clear that traditional software-based security solutions are ineffective in detecting or mitigating Sunburst attacks. We are advocating more effective models.
A PUF can provide a security foundation with functions like non-forgeable user identities and credentials, robust authentication, and secret keys for code signing, as well as secure boots, updates and access controls. Per ENISA’s guidelines for IoT security, PUF is recommended as a key technology. PUF is expected to provide a strong RoT as the foundation for security measures (e.g., firmware signing or secure boot), as well as an unequivocal device identification/authentication to assure a given chip/device is genuine. We at PUFsecurity have offered our NeoPUF technology as a RoT solution to secure the IoT supply chain. Building upon this strong foundation, we are optimistic that enhanced PUF solutions for the software supply chain can defend from future Sunburst-like attacks.
We hope that the SolarWinds hack will spur fundamental reforms. While Internet technology has grown exponentially, the development of security measures has typically been an afterthought. We advocate for a multi-layered defense against hacks that includes better administrative practices, improved software security and vital safeguards at the hardware level. Our company, PUFsecurity, has been focused on these threats for several years now and provides a range of intellectual property that can be incorporated in other companies’ chips.
Albert Jeng is an information security consultant to PUFsecurity. He has been working as a researcher, consultant and educator in the information security field for most of his 40-year career. In addition to his ongoing work as a consultant, he has also most recently been an adjunct full professor in the Department of Computer Science and Information Engineering at Taiwan’s National Tsing Hua University.
- Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
- SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected – Check Point Software
- Overview of Recent Sunburst Targeted Attacks (trendmicro.com)
- SunBurst: the next level of stealth (reversinglabs.com)
- Hsu, Charles, “A Must for AI/IOT Era PUF based Hardware Security”, A keynote speech to The 30th VLSI Design/CAD Symposium, August 8, 2019.
- PUF: A Crucial Technology for AI and IoT (design-reuse.com)
- Run by Chips, Secured with Chips – Hardware Security with NeoPUF solutions (design-reuse.com)
- ENISA, “GUIDELINES FOR SECURING THE INTERNET OF THINGS: Secure supply chain for IoT”, November 2020