DEV Community

Cover image for What does SolarWinds Hack tell us about Backdoor Attacks?

What does SolarWinds Hack tell us about Backdoor Attacks?

ashok83 profile image Ashok Sharma ・4 min read

A backdoor is a type of malware that provides cybercriminals with unauthorized access to resources. It is usually installed by cybercriminals through unsecured or vulnerable entry points like outdated plug-ins or software. As its name suggests, a backdoor allows hackers to gain entry into an organization’s infrastructure from the back door — illegally or without authorization.

After they enter into the infrastructure, they gain access to almost every resource — data, networks, as well as systems. Moreover, a backdoor attack is usually stealthy, allowing cybercriminals to slip in totally undetected into the infrastructure.

Though cybercriminals target organizations of all sizes, small to medium-size businesses are potentially more vulnerable to backdoor attacks. The reason being they usually have lesser cybersecurity resources to secure entry points and/or detect and prevent successful attacks.

Since cybercriminals already know about SMBs and SMEs lacking budgets as well as security experts to detect and mitigate cyberattacks. This is the reason why the 2020 Data Breach Investigations Report by Verizon reported that 43% of cyberattacks are targeted at small businesses. And SolarWinds is one such example that got targeted by cybercriminals in December 2020, adding one more dangerous attack to the list of 2020 while the worldwide pandemic was already wreaking havoc on all.

But before discussing the SolarWinds attack, let’s understand how backdoor attacks work.

The first step in any cyberattack is the delivery of the malware. A backdoor malware is classified as a trojan — a malicious software masking itself as useful software but built for delivering malware, opening up a backdoor, and stealing data among other uses.

The name is inspired by the trojan horse story of the ancient Greeks, and similarly, computer trojans present a nasty surprise. And they prove to be a multifunctional instrument for cybercriminals, which come under many forms such as a file download or an email attachment with the support for delivering multiple types of malware.

Additionally, trojans may also behave like a worm with the ability to replicate themselves across networks and systems. For instance, Emotet — a banking trojan from 2014 — started as a data stealer across systems. Since then, it has evolved to deliver other malware.

In another example, cybercriminals hid a backdoor malware inside a free file converter. The program did not convert any files but only worked as a backdoor for its malicious creators.

Also, a backdoor malware may not be all targeting an organization’s networks and/or systems. Once cybercriminals manage to get inside the infrastructure, they may also employ a rootkit among other malicious instruments. A rootkit is designed to conceal the malware or cybercriminals’ activities from the operating system as well as security teams.

A backdoor along with a rootkit keeps the doors open for cybercriminals, allowing them to enter the premises any number of times without ever knocking on the door.

The attack on SolarWinds was no different — cybercriminals hid a neat backdoor inside a crucial part of SolarWinds Orion. The backdoor malware was first added to a DLL file named “SolarWinds.Orion.Core.BusinessLayer.dll”, which was later distributed to its customers in a supply chain attack.

The attack was discovered by FireEye — one of the customers of SolarWinds — when it discovered its Red Team assessment tools were stolen. Later, a coordinated report was issued by FireEye, Microsoft, SolarWinds, and the U.S. government stating that SolarWinds had been hacked by a state-sponsored hacker group.

Though it was discovered in December 2020, it is believed that the threat actors performed a test run of the distribution method as early as October 2019 and started distributing the backdoor in March 2020. After deep investigations performed by the team of organizations, researchers discovered additional malware and versions.

According to CrowdStrike, SunSpot malware was first executed to auto-inject the Sunburst backdoor in the development builds of SolarWinds. This backdoor malware was then auto-transferred to the victim clients via automatic updates.
And once it was installed and executed on the victims’ machines, it would regularly connect to its command and control server for receiving commands from its masters.

Then, Sunburst would deploy another malware named Teardrop, which has been previously used as a post-exploitation tool to deploy beacons of Cobalt Strike. Finally, there was another malware named RainDrop, which was used to deploy these beacons to other compromised machines.

Though multiple organizations are tracking the threat actors behind the attack on SolarWinds, Volexity — a Washington-based cybersecurity firm — has linked this attack to a hacking group using the moniker “Dark Halo”. Some unconfirmed media reports have also linked this group to the Russian Foreign Intelligence Service (SVR). But that is not all, the attack on SolarWinds has caught everyone’s attention because of the high-value targets.

It is believed that almost 18,000 customers were targeted using this attack including Cisco, Microsoft, the U.S. Department of Homeland Security (DHS), the U.S. Department of State, and the U.S. Department of the Treasury. That is the reason all the major cybersecurity firms in the world are working on mitigating the attack. Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the Sunburst backdoor.

Also, many of the cybersecurity software are now detecting, alerting, and even quarantining this backdoor. So, this is the lesson to learn from the attack on SolarWinds: an organization’s cybersecurity is as strong as the weakest link in its security infrastructure. Who would have thought that Microsoft may get hacked, right? But the reality is that any organization may get hacked because every organization uses numerous products and services these days.

And if hackers can compromise just one of them, they can gain access to the organization. And so, it is of utmost importance to periodically test and validate your security infrastructure and keep your networks and machines up to date — every day.

Discussion (0)

Editor guide