SolarWinds and Supply Chain Attacks: Could it happen to WordPress?

SolarWinds and Supply Chain Attacks: Could it happen to WordPress?

The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On December 13th the US Treasury Department announced that it had also been compromised. At that time SolarWinds Orion was officially reported as the intrusion vector.

SolarWinds has since stated that “fewer than 18,000” firms were affected. Companies impacted by the SolarWinds supply chain attack include Intel, NVidia and Cisco.

What is a supply chain attack?

A supply chain attack involves gaining access to a system by targeting a trusted third party used by that system. This can include any point in the supply chain.

For instance, the 2013 Target data breach, the most expensive retail attack in history at the time, was tracked down to attackers first compromising an HVAC supplier. The attackers used credentials obtained from that supplier to gain access to Target’s internal network.

More recently supply chain attacks have focused on software suppliers. Compromising a single organization can have a much larger impact if the compromised software is distributed to many users. In 2017, attackers spread the NotPetya malware variant and caused billions of dollars in damage by compromising update servers belonging to MeDoc, an accounting software company with thousands of customers.

What about SolarWinds?

SolarWinds Orion is a Network Monitoring and Management product, meaning that it can be configured to have an immense amount of control over an organization’s infrastructure.

A currently unconfirmed nation-state threat actor managed to inject a backdoor, known as SUNBURST, into several versions of the Orion software before they were downloaded by SolarWinds customers.

In this case, SolarWinds was the trusted third party, and up to 18,000 of their customers, many of them large enterprises, downloaded and installed an infected version of Orion as early as March of 2020.

Despite the number of infected users, the attacker appears to have focused on staying hidden while gathering information, focusing on a handful of targeted organizations. The SANS institute has a more in-depth examination of the attack and its mechanism.

A separate webshell, dubbed SUPERNOVA and believed by Microsoft to have been injected by a different attacker, has also been found in Orion, indicating that multiple threat actors realized the value of this type of attack against Orion.

Although the intrusion vector that initially led to the compromise of SolarWinds Orion is currently unknown, in 2019 a security researcher named Vinoth Kumar reported that he had found credentials to the SolarWinds update server in a public GitHub repository, including an incredibly insecure password of “Solarwinds123”. While the SUNBURST malware was cryptographically signed, which would have required the attacker to compromise additional systems, these findings are indicative that SolarWinds may have had a poor security posture in other areas.

Could something like this impact WordPress?

Yes. While the SolarWinds attack itself is unlikely to impact any WordPress sites, a similar attack could be used against WordPress. In 2016, Wordfence Lead Developer Matt Barry notified WordPress about a potential supply chain attack that could have infected nearly a third of the internet by compromising the WordPress update infrastructure at api.wordpress.org, which instructs WordPress sites where to download automatic updates. Thanks to our disclosure, the issue was patched before it could be exploited.

Supply chain attacks aren’t always technical. Between 2013 and 2017, an unscrupulous spammer known as Mason Soiza managed to insert malicious code used to display unwanted spam and ads into at least 9 WordPress plugins, including some with several hundred thousand installations. In most cases he purchased the plugin from the author and included his own malicious code.

Later in 2017 we saw the same activity on three separate plugins that had changed owners, where the new owners included content injection backdoors in the plugins.

The motives for a WordPress supply chain attack may be different from those of the attackers targeting SolarWinds, but the mechanisms would be the same. While many of the attacks against WordPress are not sophisticated, the probability of an attacker targeting a CMS powering over one-third of the internet should not be underestimated.

How can supply chain attacks be prevented?

It is impossible to completely eliminate supply chain attacks, but there are ways to mitigate the risks posed by them. For instance, WordPress introduced support for cryptographically signed updates in version 5.2, though the feature is not yet fully in use. This would prevent WordPress from installing updates that were not signed with the correct keys.

While this might protect against an attacker taking over api.wordpress.org and instructing sites to download updates from a rogue server, it would not protect against an attacker taking over a legitimate plugin.

Additionally, if an attacker was able to gain access to the server or keys used to sign updates, they could still bypass this measure. One of the most troubling features of the SUNBURST malware was that the attackers were able to cryptographically sign the update so that it appeared to be legitimate.

As with other threats, the risk of supply chain attacks is best addressed with a combination of technical and administrative controls, including code signing, making use of the principle of least privilege, and system hardening, so that the breach of a single component doesn’t result in an entire system or network being compromised.

Protecting Against Supply Chain Attacks

As users of software, detecting and preventing supply chain attacks can be extraordinarily difficult. Software and vendor relationships are based upon trust. Software users trust that the software and systems that their organizations use are secured, yet users have little control over the security or processes that develop and distribute that software. This is especially true in closed-source software models, where the responsibility of security is on one organization.

In some ways, WordPress is different from most other software in that there is an active and communicative network of developers who contribute to the project and are invested in the success of WordPress. This community has often been a first line of defense in detecting and disclosing issues so that they can be resolved quickly.

In either case, protecting an organization from a supply chain attack via trusted software can be difficult. It requires attention, testing, and awareness. WordPress has the benefit of a large community of users and developers who have historically shared that responsibility.

While the WordPress ecosystem is not immune to supply chain attacks, its open-source nature means that many potential issues may be spotted and patched more quickly than problems with a proprietary codebase. In many ways the primary challenge in an open-source ecosystem is in making sure that all users are updating to patched software as threats emerge and are mitigated with new releases.

Conclusion

In today’s article, we discussed the SolarWinds attack and the risks posed by supply chain attacks in general. We also covered a potentially catastrophic supply chain vulnerability that was patched in WordPress before it could be exploited, as well as smaller supply chain attacks that had been successfully executed against WordPress plugins. Finally, we went over potential preventative measures, including code signing and community involvement.

Supply chain attacks will continue to be a threat for the foreseeable future. While no single strategy can prevent supply chain attacks, a combination of best practices can reduce their impact.

Special thanks to Director of Marketing Kathy Zant for her assistance with this article.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

2 Comments
  • I would like to see WordFence write more articles about this. I do not think the layperson understands how websites are built and how WordPress sites are built in general. WordPress is insecure by design because of its plugin architecture. The plugin architecture is similar now to how Shareware was distributed before Microsoft started warning people of installing software downloaded from the Internet. The themes and plugins are created by programmers all over the world. Many in countries whose laws might be different than in the U.S. Malicious code can be injected into any WordPress site by the plugins or themes it uses. This code is usually in the form of Javascript libraries which sometimes are loaded from CDNs. Javascript libraries can monitor and log anything a visitor does on their website (See HotJar). This includes keystrokes and credit card numbers. jQuery code, font awesome, and bootstrap code is often loaded from CDNs. The CDN could be compromised or DNS poisoned so code is downloaded from a different server than intended. Most websites on the Internet have Google Analytics on it. First, this allows Google to monitor and track anything that your visitors do on your website (and sadly most of the web) and second, imagine if this was compromised. WordFence.com is loading scripts from googletagmanager.com, google-analytics.com, js.hs-scripts.com, js.hs-analytics.com, js.hs-banner.com, track.hubspot.com, and maxcdn.bootstrapcdn.com. All of these could be attack vectors. In order to trust the security of a WordPress site you have to trust dozens of companies and programmers around the world.

  • Thanks for the post. I didn't get time to read more about it, and the impact on Wordpress is also interesting to read.
    As you said, a lot of stuff on the internet is base on *trust*. I trust Wordfence, so I do not expect to see bad stuff coming from your direction..lol.

    Didier.