Chapter 29 Β· Examples

Malicious Updates β€” Examples

The SolarWinds SUNBURST attack, a dependency confusion walkthrough, and exam scenarios.

The SolarWinds SUNBURST Attack (2020)

SolarWinds produced Orion, an IT infrastructure monitoring platform used by thousands of organizations including US government agencies. In 2020, attackers compromised SolarWinds' build system and inserted a backdoor β€” SUNBURST β€” into a legitimate Orion software update. The update was signed with SolarWinds' valid certificate and distributed through official channels.

How the Attack Unfolded

1
Build System Compromise
Attackers gained access to SolarWinds' software build environment. They inserted SUNBURST backdoor code into the Orion source in a way that would be compiled into the next update.
2
Legitimate Build and Signing
The update was compiled normally, including the SUNBURST code. It was signed with SolarWinds' valid code-signing certificate. Nothing in the signing process indicated a problem.
3
Distribution
The update was distributed through SolarWinds' normal infrastructure to approximately 18,000 organizations, who installed it following security best practice.
4
Dormancy
After installation, SUNBURST lay dormant for up to two weeks, performing no suspicious activity β€” evading sandbox analysis tools that run samples for only a few minutes.
5
Activation
After dormancy, SUNBURST established a covert C2 channel, disguising traffic as legitimate Orion API calls. Attackers used this for lateral movement, data exfiltration, and persistent access.
6
Discovery
The compromise was discovered months later through behavioral anomalies in network traffic β€” not through signature-based or integrity-based detection. Attackers had maintained access for months.
SolarWinds SUNBURST demonstrated that supply chain attacks can be undetectable through traditional controls. The update had a valid signature, was delivered through legitimate infrastructure, and the payload was dormant long enough to evade sandbox analysis. Detection required behavioral monitoring of post-installation network activity.

Dependency Confusion β€” Step-by-Step

A developer's workstation or build server installs a malicious package automatically β€” with no warning, no phishing, and no credential theft required.

1
Reconnaissance
The attacker searches job postings, GitHub repositories, and leaked configuration files for internal package names. They find a reference to an internal package named "corp-auth-utils" in a job listing.
2
Publication
The attacker creates a malicious "corp-auth-utils" package and uploads it to the public npm registry (or PyPI, NuGet) at version 9.9.9 β€” far higher than any realistic internal version.
3
Trigger
A developer runs npm install. The package manager searches both the private internal registry (finds corp-auth-utils v1.4) and the public npm registry (finds corp-auth-utils v9.9.9).
4
Resolution
The package manager selects v9.9.9 from the public registry β€” the highest available version. It downloads and installs the attacker's package automatically, with no warning or prompt.
5
Execution
The malicious package's install script runs automatically during installation, exfiltrating environment variables, SSH keys, or cloud credentials β€” all within the developer's environment.
Dependency confusion requires no phishing, no credential theft, and no vulnerability exploitation. It exploits the intended behaviour of tools developers use daily. Prevention: configure package managers to scope internal package names exclusively to the private registry, or use namespaced package names (e.g. @company/corp-auth-utils).

Exam Scenarios

Scenario 1

Question: A security team discovers that an attacker gained persistent access to multiple organizations by compromising a software vendor's build system and inserting a backdoor into a legitimate update. The update was signed with the vendor's valid certificate and distributed through official channels. What type of attack is this, and why was it difficult to detect?

Answer: Supply chain attack / malicious update. Difficult to detect because: (1) the package had a valid code signature β€” verification passed; (2) it was delivered through official channels β€” no network anomalies during download; (3) the payload was dormant β€” sandbox analysis showed no suspicious behaviour. Only behavioral monitoring of post-installation activity could detect it.

Scenario 2

Question: A developer's build system begins exfiltrating credentials shortly after a dependency update. Investigation reveals the build system downloaded a package from a public registry that shares its name with an internal private package but has a higher version number. What attack is this, and what should the organization configure to prevent it?

Answer: Dependency confusion. Prevention: configure the package manager to prefer the private registry exclusively for internal package names (registry scoping). Alternatively, use namespaced package names that cannot be claimed on public registries, or pre-register internal package names on public registries with benign placeholder packages.

Scenario 3

Question: An organization uses hash verification for all software updates before installation. A malicious update is nonetheless installed successfully. The update's hash matches the vendor's published value. How is this possible?

Answer: The malicious code was inserted before the vendor computed and published the hash β€” specifically in the build pipeline, upstream of both signing and hashing. Hash verification detects modifications after publication; it cannot detect malicious code present when the hash was calculated. The vendor's reference hash matches the malicious package because the package was malicious when hashed.