Supply chainSupply chain2020 6 min read

What was SolarWinds?

Attackers got into the build pipeline and slipped a backdoor into a signed SolarWinds update. Thousands of organizations installed it themselves, trusting the signature. Trust was the attack.

18,000
organizations received the poisoned update
1
compromised build, signed and shipped
Months
of access before anyone noticed
Trusted
the update carried a valid signature

What happened

In 2020 it emerged that attackers had compromised the build process for SolarWinds Orion, a widely used network management product. They inserted a backdoor into an update, which was then signed and distributed like any normal release.

Customers did the rest. They installed a trusted update from a trusted vendor, and in doing so installed the backdoor.

How a trusted update became a weapon

The attack did not target a coding flaw in the product. It targeted the pipeline that builds and ships it. Get in there, and you can poison the software before it is signed, so every downstream check still passes.

Signatures and update channels are designed to prove an update is genuine. Here the update genuinely came from SolarWinds. That is what made it so hard to catch.

Why supply chain is so hard to stop

You can patch your own code and still be breached by an update you were told to trust. The compromise lived upstream of everything most defenses watch.

What gave it away was not the file. It was the behavior. The backdoor eventually talked to the internet in ways the software never should, and that pattern is what unraveled it.

How it unfolded

  1. 2019 to 2020
    Attackers quietly compromise the SolarWinds build environment.
  2. Early 2020
    Backdoored Orion updates are signed and shipped to customers.
  3. Dec 2020
    Security firm FireEye uncovers the campaign while investigating its own breach.
Where buggy.run fits

Supply chain sits upstream of your code, but your running app still talks to the world, and that is where a hidden backdoor eventually shows itself.

buggy.run watches what your deployed app actually does and where its traffic goes, so behavior that does not match the feature set is the kind of thing that gets surfaced rather than assumed away.

What to take away

  • Verify the integrity of your build and release pipeline, not just your source.
  • Monitor outbound traffic from servers. Backdoors have to call home.
  • Give every component the least privilege and network access it needs.
  • Assume a trusted dependency can turn hostile, and design so it cannot reach everything.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.