AWS and Azure used in SolarWinds Attack

The SolarWinds exploit was one of the biggest security breaches of the past year. There’s now no doubt that this cyberattack was the result of a very sophisticated effort. Microsoft estimated that it was the likely result of a 1000 engineers working on the creation of the malware. The attack worked by compromising SolarWinds’ software update service for their Orion IT infrastructure management product.  It is thought that weak passwords are one of the factors that allowed the cyber attackers to get a foothold into the SolarWinds processes. The attack spread to approximately 18,000 users of the Orion product and many U.S. government agencies including the: Commerce, Treasury, Homeland Security and Justice Departments.

However, one of the interesting things about the attack was the level of sophistication it used by incorporating multiple cloud platforms in its construction. The malware made use of systems on both AWS and Azure. I should point out that these cloud providers are not responsible for the execution of this cyberattack – these platforms were just tools used in the attack. The attackers signed up for cloud accounts and leveraged cloud platform resources just like any other customer. While I’m sure this type of usage would violate their terms of the agreement, something would need to bring that to the attention of the cloud provider and subterfuge is a big part of these types of cyberattacks.

The cyberattack used Azure as the primary domain and then it used AWS for the subdomains. They used Azure to set up a DNS infrastructure that resolved domain names used by the malware; AWS hosted most of the secondary command and control (C2) nodes. After installation at the target organization, the malware used an initial delay of about two weeks to avoid detection, and then it contacted the malware-created domains on Azure. The malware DNS servers in Azure returned IP addresses for the C2 servers in AWS. Next, the installed malware began communicating with the AWS servers using those IP addresses. The AWS C2 servers then began controlling and sending commands to the malware programs running on the SolarWinds host.

After the attack became public, Microsoft revoked the certificates that the malware was using. Then they took down the attack infrastructure in Azure which prevented the malware from communicating with the AWS servers. Finally, they added the malware to Windows Defender so that Defender would remove and automatically quarantine the malware if it were found. Microsoft and Amazon have both said they had shared what they learned about the attack with law enforcement. The attack was notable enough that congress convened a hearing about the attack. However, Amazon did not attend the congressional hearing.  AWS vice president of public policy Shannon Kellogg said they “were not compromised in any way, which is why we did not provide formal testimony on the panel yesterday.”

The heavy use of these cloud technologies shows that cybercriminals and their attacks are continuing to rise in sophistication just as the supporting technology increases in sophistication. I suppose most cyberattack victims call every cyberattack sophisticated and many times they’re not wrong. However, in the case of the SolarWinds exploit, security experts are pretty much unanimous that the term is warranted in this case. It does give cause for worry and to implement stronger security measures as it’s clear that cybercriminals are now leveraging the cloud just like legitimate businesses do.