How to Protect Yourself from Supply Chain Attacks?

Supply chains have become, in the hyper-connected world that already defines us, one of the most vulnerable links in industrial cybersecurity. The technological interdependence between organizations has created a broad and complex attack surface that cybercriminals have learned to exploit very well: now, instead of directly attacking the target organization, they direct their efforts towards suppliers or external services, which become conduits through which to infiltrate malware, steal information, or disrupt critical operations.

One of the most emblematic and devastating attacks in this regard was the one perpetrated against SolarWinds in 2021, which showed how even legitimate and certified solutions can be manipulated, in addition to how urgent it is to adopt new defense strategies that stop these threats from their origin.

The SolarWinds Case: when the Enemy Enters through the Front Door

In the infamous 2021 supply chain attack linked to SolarWinds, a major US IT management software company, cybercriminals allegedly backed by foreign government entities injected malicious code into legitimate software updates of the Orion product. This backdoor, known as SUNBURST, managed to evade traditional cloud defense systems, and even disable them in some cases.

The compromised updates were signed with valid digital certificates, which allowed them to bypass the security controls of the main providers. Coming from certified software, the corrupted package managed to pass the defenses based on whitelists and install itself without raising suspicions in thousands of organizations, including operational technology (OT) environments and government institutions. Thus, the attackers obtained a privileged access point to these systems.

Once inside the networks, the attackers deployed a sophisticated operation: they downloaded and executed malicious files, executed shellcodes, performed injections to obtain full access to the applications, and escalated privileges to the maximum. It was necessary for a cybersecurity company to also be a victim so that, by chance, it detected the exfiltration of its critical tools and the alert was issued.

Some manufacturers admitted that their products were bypassed or temporarily disabled, allowing the free execution of advanced attack techniques. The attackers acted with patience and precision, remaining invisible for long periods of time.

This attack underscored the limitations of defenses based exclusively on IoCs (indicators of compromise) or next-generation antivirus (NGAV), which were unable to detect and stop the threat.

In addition, this incident was a turning point for governments, private companies, and the industry in general, demonstrating that even the most protected organizations can be vulnerable to advanced threats and prompting them to rethink their cybersecurity posture.

Now then… What would NOT have happened with AZT Protect?

AZT Protect is a comprehensive defense system that was created to protect critical assets, preventing the execution of adulterated or untrusted code and applying artificial intelligence to detect and block generic attack techniques from the outset.

Below, we present a detailed analysis of the SUNBURST attack timeline, highlighting each phase and technique used and showing exactly at what points AZT Protect would have stopped it.

Initial phase: delivery of the malicious payload through a legitimate update

The SUNBURST attack begins with the delivery of a malicious payload through a legitimate update of Orion signed by SolarWinds. As this comes from a trusted source, the system executes it without suspicion. However, the update introduces an automated mechanism that, when activated, opens a backdoor to load more malicious code.

At this initial point, the AZT agent, by continuously monitoring the execution of code in memory, would have detected and blocked the execution of shellcode used to open the backdoor. This first block would have been enough to stop SUNBURST before it caused damage.

For this analysis, AZT Protect was used in “Detection” mode, which allowed observing the complete development of the attack without blocking it. This modality, different from the “Prevention” mode that is used by default in production environments, allows studying in detail each phase of the attack.

In a real deployment, with the system operating in “Prevention” mode, the observed techniques would have been neutralized as they appeared. During this controlled exercise, however, the attack was allowed to advance to demonstrate the sequence of events and the reactive capabilities of the system.

Activation of the malware and opening of the backdoor

The attack continues when the embedded malware is activated, attempting to open a backdoor via shellcode. AZT Protect detects it immediately. As we detailed before, if it had been configured in “Prevention” mode, the attack would have failed at that instant. In the context of this analysis, however, its execution was allowed to observe how the threat progressed and what other techniques it deployed.

It is important to note that the attack employed techniques at the process level, difficult to identify without constant monitoring of the DRAM memory and, in many cases, of the operating system’s own kernel. In this context, AZT Protect acts precisely at the kernel level, through a patented technology that allows it to observe in real time both the processes and the code that is executed in memory. Thanks to this, it can detect a wide variety of generic attack techniques, including those that usually go unnoticed by traditional solutions.

Protection Strengths of AZT Protect

The main advantage of AZT Protect is its ability to block attacks before they are executed, even if they have never been seen before. That is, it protects against zero-day attacks from the outset. It does not depend on previous patterns or need to analyze IoCs in the cloud to stop threats, which can generate critical delays, especially in OT environments that operate under very restricted maintenance windows.

Thus, AZT Protect offers immediate defense against application vulnerabilities without the need for updates, patches, internet connection, or cloud solutions. In addition, it can detect when a critical application has been adulterated through the exploitation of vulnerabilities, without the need for a CVE to be discovered previously.

Download AZT Protect battlecard

New Paradigm for Cyber Defense

The SolarWinds breach changed the geopolitical landscape of cybersecurity. Although attributed to a state actor, it also highlighted the fine line that separates state-sponsored attacks and organized cybercrime. The level of sophistication of the attack, as well as the fact that it affected critical infrastructures and government agencies, manifests the real scope that this type of threat can have.

As a result of this case, many countries are reviewing their cyber defense strategies, implementing new compliance regulations for critical infrastructures and public companies. Insurers are also raising their demands before granting coverage, as demonstrated by the case of the attack on Merck and its claim of 1.4 billion dollars.

Likewise, the incident promoted the adoption of the Zero Trust security model, by demonstrating that traditional perimeter-based architectures are insufficient against advanced persistent threats.