Listen to this Post

Introduction:
Six years after the SolarWinds Orion supply-chain attack—the most consequential cyber incident in history, affecting 18,000 organisations including the U.S. Treasury, State Department, and Homeland Security—a longitudinal assessment spanning March 2020 to June 2026 reveals that the same attack pathways remain unsecured on SolarWinds infrastructure today. Persistent certificate trust failures, browser “Not secure” authentication surfaces, SSL Labs T ratings, and DNSSEC insecurity are not isolated anomalies; they represent repeated, observable trust-control weaknesses that adversaries actively exploit to position themselves inside supplier networks. The attack surface that enabled state-level tradecraft to weaponize SolarWinds’ Orion updates has never been secured—and this is not simply a configuration issue but a foundational governance failure.
Learning Objectives:
- Understand the persistent certificate and DNS trust failures that continue to expose SolarWinds and similar vendors to supply-chain compromise.
- Learn to verify and harden certificate validation, DNSSEC, and code-signing controls using practical Linux/Windows commands and configuration audits.
- Implement proactive attack surface management (ASM) and continuous monitoring workflows to detect and remediate trust-control weaknesses before adversaries exploit them.
- The Certificate Trust Crisis: Expired Certs, Broken Chains, and MITM Exposure
The post’s attached report evidences that SolarWinds infrastructure was observed with expired TLS certificates, triggering browser security warnings and SSL Labs T ratings—a critical failure in maintaining the trust and integrity of services. An expired certificate breaks the chain of trust, can cause service outages, and opens the door to man-in-the-middle (MITM) attacks where traffic can be intercepted or spoofed. This is compounded by the fact that SolarWinds Platform 2026.2 installations and upgrades have been failing due to missing root certificates in the Windows Trusted Root Certification Authorities store, preventing the server from validating the certificate chain.
Step‑by‑step guide: Certificate inventory, validation, and remediation
Step 1: Discover and inventory all TLS/SSL certificates across your infrastructure
You cannot secure what you do not know. Use openssl and nmap to enumerate certificates on your hosts.
Linux: Get certificate details for a specific host openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -1oout -dates -subject Check certificate expiry for multiple hosts for host in $(cat hostlist.txt); do echo -1 "$host: " echo | openssl s_client -servername $host -connect $host:443 2>/dev/null | openssl x509 -1oout -enddate done Use nmap to scan a network range for certificates nmap --script ssl-cert -p 443 192.168.1.0/24
Step 2: Validate the entire certificate chain
Ensure that all certificates in the chain are trusted and that no root certificates are missing—a known issue in SolarWinds 2026.2 deployments.
Verify the full certificate chain openssl s_client -connect yourdomain.com:443 -showcerts -servername yourdomain.com Check if the certificate is trusted by the system openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt certificate.pem
Step 3: Implement automated monitoring and renewal
Configure alerts to trigger at 30, 14, and 7 days before expiry. Use ACME protocol with Let’s Encrypt for automated renewal where possible.
Test certificate renewal (Certbot) sudo certbot renew --dry-run Check automated renewal timer status sudo systemctl status certbot.timer Windows: Check certificate in local machine store Get-ChildItem -Path Cert:\LocalMachine\My | Format-Table Subject, NotAfter, Thumbprint
Step 4: Remediate missing root certificates (Windows)
For SolarWinds Platform 2026.2 upgrade failures caused by missing root certificates:
List trusted root certificates Get-ChildItem -Path Cert:\LocalMachine\Root Import missing root certificate (obtain from your CA or SolarWinds documentation) Import-Certificate -FilePath "C:\path\to\root.cer" -CertStoreLocation Cert:\LocalMachine\Root
- DNSSEC Insecurity: The Broken Chain of Trust in DNS
The post explicitly calls out “DNSSEC insecurity” as a persistent exposure. Despite threat intelligence shared with SolarWinds leading them to sign their TLD in 2021, inconsistent deployment persists across subdomains and record types. An attacker can spoof an unsigned A record for a subdomain (e.g., api.solarwinds.com), redirecting traffic to a malicious server while the apex signature remains valid. This breaks the chain of trust and enables cache poisoning and MITM attacks.
Step‑by‑step guide: DNSSEC verification and hardening
Step 1: Verify DNSSEC status for apex and subdomains (Linux/macOS)
Check DNSSEC for apex domain - look for "ad" flag (authenticated data) and RRSIG records dig +dnssec example.com A Check DNSSEC for subdomains - many organizations sign only the apex dig +dnssec subdomain.example.com A dig +dnssec mail.example.com MX Validate entire chain using delv delv @8.8.8.8 api.example.com A +vtrace
Step 2: DNSSEC verification using Windows PowerShell
Check DNSSEC status (look for DnssecStatus property) Resolve-DnsName -1ame example.com -Type A -DnsOnly | Format-List Check subdomain with specific DNS server Resolve-DnsName -1ame subdomain.example.com -Type A -Server 1.1.1.1
Step 3: Configure DNSSEC on BIND (Linux)
Generate DNSSEC keys for your zone
dnssec-keygen -a ECDSAP256SHA256 -b 256 -1 ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -f KSK -1 ZONE example.com
Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -o example.com -t db.example.com
Add to named.conf
zone "example.com" {
type master;
file "db.example.com.signed";
auto-dnssec maintain;
inline-signing yes;
};
Step 4: Configure DNSSEC on AWS Route53 (cloud environments)
Enable DNSSEC signing for a hosted zone using AWS CLI aws route53 enable-hosted-zone-dnssec --hosted-zone-id Z1234567890 Create key-signing key (KSK) aws route53 create-key-signing-key --hosted-zone-id Z1234567890 --key-signing-key-1ame example-ksk
- Code-Signing Governance Failure: The Attack That Never Needed a Stolen Key
The SolarWinds SUNBURST malware did not exploit a cryptographic weakness—it exploited the build pipeline. The trojanized `SolarWinds.Orion.Core.BusinessLayer.dll` carried a valid Authenticode signature chained to SolarWinds’ legitimate code-signing certificate issued by Symantec. Every Windows host validated that signature and accepted the binary because, by every cryptographic measure, it was authentic. The attackers modified the build environment (not the source repository), with an implant called SUNSPOT monitoring build processes, swapping malicious code during compilation, and restoring the original file afterward—so source control showed no diff. The signing key did exactly what it was designed to do: sign whatever the build server presented to it.
Step‑by‑step guide: Code-signing governance and build-pipeline hardening
Step 1: Enforce HSM-backed signing keys with provable custody
Production code-signing keys must live inside a FIPS 140-3 Level 3 hardware security module (HSM). No signing key material should ever exist in software form on build servers.
Linux: Verify that signing occurs via HSM (example with pkcs11-tool) pkcs11-tool --module /usr/lib/libcloudhsm.so --list-objects --type privkey Verify that the signing certificate is hardware-backed certutil -key -csp "Microsoft Base Smart Card Crypto Provider"
Step 2: Implement build-pipeline integrity monitoring
Monitor build processes for unauthorized modifications (Linux)
inotifywait -m -r -e modify,create,delete /path/to/build/source/
Windows: Enable build pipeline auditing via PowerShell
Monitor file changes in build directories
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Build\Source"
$watcher.Filter = "."
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Changed" -Action { Write-Host "File changed: $($Event.SourceEventArgs.FullPath)" }
Step 3: Enforce code-signing policy with anomaly detection
Windows: Verify Authenticode signature and check for anomalies Get-AuthenticodeSignature -FilePath "C:\Path\to\Orion.Core.BusinessLayer.dll" Check that the signing certificate is from a trusted issuer and hasn't been revoked Get-AuthenticodeSignature -FilePath "C:\Path\to\file.dll" | Select-Object SignerCertificate, TimeStamperCertificate
Step 4: Implement NIST SP 800-218 (SSDF) controls
As mandated by the Secure Software Development Framework, implement controls including: (1) HSM-backed keys, (2) build pipeline integrity monitoring, (3) reproducible builds, (4) signed provenance attestations, and (5) continuous anomaly detection in the signing event itself.
4. Internet Asset Discovery and Attack Surface Reduction
Andy Jenkinson’s direct warning stressed: “If the Internet Assets are Not Secured, the chances of falling victim to cyber crime is greatly increased”. An unknown or unmanaged asset is a liability—and SolarWinds’ failure to maintain basic certificate hygiene across its internet-facing assets demonstrates this principle in action.
Step‑by‑step guide: External asset discovery and hardening
Step 1: Passive enumeration (attacker’s view)
Use Amass for passive subdomain enumeration amass enum -passive -d yourcompany.com Use Subfinder for additional subdomain discovery subfinder -d yourcompany.com -o subdomains.txt Use theHarvester for email and domain discovery theHarvester -d yourcompany.com -b google,bing
Step 2: Active scanning (authorized only)
Scan discovered IP ranges for open ports and services nmap -sV -O --top-ports 1000 -iL discovered_ips.txt Use masscan for large-scale port scanning masscan -p1-65535 --rate=1000 -iL discovered_ips.txt -oJ scan_results.json
Step 3: Internal reconciliation and tagging
Cross-reference externally discovered assets with your internal CMDB. Tag assets by criticality, data sensitivity, and exposure level. Remove or secure any asset not accounted for in your formal inventory.
5. Continuous Monitoring: The Antidote to Ignored Warnings
The post’s core indictment is not that SolarWinds had vulnerabilities—it’s that the same vulnerabilities remain unaddressed six years later. The SolarWinds Platform 2025.2 update introduced enforced SSL certificate validation on all outbound HTTPS connections, yet the 2026.2 upgrade fails due to missing root certificates. This pattern—introducing security controls that then break because of the very certificate hygiene failures they were designed to enforce—is a governance failure, not a technical one.
Step‑by‑step guide: Build a continuous monitoring workflow
Step 1: Centralize certificate and asset monitoring
Implement a dynamic inventory of all certificates (public and internal), including issuer, expiry date, and associated service. Use tools like CertSpotter, Let’s Monitor, or enterprise solutions from Venafi or HashiCorp Vault.
Step 2: Configure multi-stage alerts
Set alerts to trigger at 30, 14, and 7 days before expiry. Never rely on a single alert.
Example: Simple certificate expiry alert script (Linux) !/bin/bash EXPIRY=$(echo | openssl s_client -servername $1 -connect $1:443 2>/dev/null | openssl x509 -1oout -enddate | cut -d= -f2) EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s) DAYS_LEFT=$(( ($EXPIRY_EPOCH - $(date +%s)) / 86400 )) if [ $DAYS_LEFT -lt 7 ]; then echo "WARNING: Certificate for $1 expires in $DAYS_LEFT days" Send alert via webhook, email, or SIEM fi
Step 3: Automate remediation where possible
Automated renewal via certbot (Linux) sudo certbot renew --quiet Windows: Scheduled task for certificate renewal Create a scheduled task to run renewal scripts weekly
What Undercode Say:
- Key Takeaway 1: The SolarWinds attack was never about broken cryptography—it was about broken trust governance. The same build-pipeline compromise that enabled SUNBURST in 2020 remains possible today because organizations continue to trust that a valid cryptographic signature guarantees a safe artifact. This is a failure of security architecture, not of cryptographic engineering.
-
Key Takeaway 2: Certificate and DNSSEC hygiene are not “nice-to-have” operational tasks—they are foundational security controls that adversaries actively probe and exploit. The fact that SolarWinds infrastructure still exhibits expired certificates and DNSSEC gaps six years after the most consequential supply-chain attack in history is not a technical oversight; it is a governance failure that signals to the entire industry that the lesson has not been learned.
-
Analysis: The post’s observation that “you are constantly being lied to, misled, and then made to pay at both the front and back end” cuts to the heart of the issue. Security vendors sell solutions, but the fundamental problem is that basic security hygiene—certificate management, DNSSEC, build-pipeline integrity—remains woefully neglected even by the vendors who should be setting the standard. The SolarWinds case is not an isolated incident; it is the norm. Until organizations treat certificate lifecycle management, DNSSEC deployment, and code-signing governance as non-1egotiable, first-principles security controls—audited and enforced at the board level—the same attack pathways will continue to be exploited. The question for every customer, organization, and government is urgent: if these pathways remain open, there is zero assurance that history will not repeat.
Prediction:
-
-1 The SolarWinds case demonstrates that even the most catastrophic cyber incidents fail to drive fundamental change in security governance when the incentives are misaligned. Expect continued supply-chain attacks exploiting the same trust-control weaknesses—expired certificates, unsigned subdomains, and build-pipeline compromises—over the next three to five years, as organizations prioritize feature velocity over security fundamentals.
-
-1 Regulatory pressure (NIST SP 800-218, EU Cyber Resilience Act) will increase, but enforcement will lag behind adversary capabilities. Organizations will continue to treat compliance as a checkbox exercise rather than a genuine security improvement, leaving the same attack surfaces exposed.
-
+1 The growing adoption of HSM-backed signing, reproducible builds, and signed provenance attestations (e.g., SLSA, in-toto) offers a genuine path forward. Organizations that embrace these controls early will build a defensible supply chain and gain a competitive advantage in trust and resilience.
-
-1 However, the majority will adopt these controls only after the next SolarWinds-scale breach—not before. The industry’s pattern of learning through catastrophe rather than prevention remains unchanged, and the cost will continue to be borne by customers, governments, and the broader digital ecosystem.
▶️ Related Video (70% Match):
https://www.youtube.com/watch?v=Arfk5uUm4qk
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


