Cyber Threat Advisory: SolarWinds Supply Chain Attack

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Nathan Toporek

TLP:WHITE

1.  Executive Summary

On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.

2.  Analysis

                 2.1.   SUNBURST Backdoor

The SolarWinds.Orion.Core.BusinessLayer.dll file is a digitally-signed part of Orion software that contains the SUNBURST backdoor and is installed during either a routine software update or during initial SolarWinds Orion installation. Between twelve and fourteen days after the initial compromise, SUNBURST will create a unique pipe that ensures only one instance of itself runs on an infected machine. It will then read and modify the SolarWinds.Orion.Core.BusinessLayer.dll.config file’s appSettings field to repurpose it for a persistent configuration. SUNBURST then checks that it is a part of the victim’s domain, generates a userID and reads an initial value from its configuration.

SUNBURST will iterate over a known blocklist of services and set the associated registry key values to four to disable these services. Once it disables all blocklisted services, SUNBURST will resolve the domain api[.]solarwinds[.]com to test for, and confirm, internet connectivity. SUNBURST then uses a domain generation algorithm (DGA) to determine and resolve a random subdomain of a malicious second-level domain (SLD). It is important to note that in some cases, the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims.2

SUNBURST will wait between each DGA resolution; in some cases, it will wait between one and three minutes; in others, 30 to 120 minutes; and on error conditions, it will wait between 420 and 540 minutes. If a DNS response’s A record is within a known set of classless inter-domain routing (CIDR) blocks, SUNBURST will modify its configuration to prevent future execution before terminating itself.

When SUNBURST retrieves a CNAME record in its response, it will start an HTTP thread that manages command and control (C&C) communications. This thread will wait a configurable amount of time (at least one minute) between requests. It uses the HTTP GET or HEAD methods when requesting data from the C&C, as well as the HTTP POST or PUT methods to send data in the form of a JSON blob to the C&C. Responses appear as benign XML data, but the data has commands encoded in both Globally Unique Identifier (GUID) data and other hexadecimal (HEX) data.

                 2.2.  TEARDROP & BEACON Malware

FireEye reported that SUNBURST delivered multiple payloads, and on at least one occasion, they observed it delivering TEARDROP – a unique, memory-only dropper. Actors likely used TEARDROP to deploy Cobalt Strike’s BEACON malware.

                 2.3.  Sophisticated Actor Behavior and Additional Malware

The actor(s) behind this attack exercised highly-sophisticated operational security (OPSEC) while carrying out operations against their victims. They:

  • Ensured hostnames matched the victim’s environment,
  • Used IP addresses in the same country as the victim,
  • Used separate credentials for remote access and lateral movement, and
  • Temporarily overwrote files with malicious utilities to later rewrite the original file contents.

These actor(s) also leveraged two additional variants of malware: COSMICGATE and SUPERNOVA. COSMICGATE is a credential stealer written in PowerShell, and SUPERNOVA is a Windows .NET program that acts as a legitimate SolarWinds HTTP handler.

3.  Prevention and Mitigation

FireEye recommends upgrading to Orion Platform release 2020.2.1 HF 1 if possible. If an organization is unable to upgrade to this version of Orion, they recommend taking the following actions:

  • Disconnect SolarWinds servers from the internet and isolate them, or restrict access from SolarWinds servers if this is not possible.
  • Rotate credentials to accounts that have access to SolarWinds servers and/or infrastructure.
  • Review network configurations created by SolarWinds, looking for anomalies.

Microsoft’s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation-state activity.3

In addition to this, the US Department of Homeland Security (DHS) recommends taking the following actions once all known malicious accounts and persistence methods have been removed:4

  • Assume all hosts monitored by SolarWinds Orion software are compromised.
  • Rebuild hosts monitored by SolarWinds Orion software.
  • Take actions to remediate Kerberoasting;5 engage with third parties experienced in dealing with APTs as needed.

4.  Indicators of Compromise

Below is a list of known IOCs related to this attack. As stated above, in some cases the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may grow as organizations investigate their environments and share their findings.

 

Indicator

 Description
c:\windows\syswow64\netsetupsvc.dll

Path used by TEARDROP malware

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

224.0.0.0/3

fc00:: – fe00::

fec0:: – ffc0::

ff00:: – ff00::

20.140.0.0/15

96.31.172.0/24

131.228.12.0/22

144.86.226.0/24

 SUNBURST ceases execution if it receives a DNS A record response in these CIDR blocks
https://github.com/fireeye/sunburst_countermeasures

Additional countermeasures / IOCs provided by FireEye

Endnotes

    1. “Highly Evasive Attacker Leverages SolarWinds Supply Chain ….” 13 Dec. 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. Accessed 14 Dec. 2020.
    2. “SANS Emergency Webcast: What you need to know about the ….” 14 Dec. 2020, https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015. Accessed 14 Dec. 2020.
    3. Microsoft Security Response Centre – https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
    4. “cyber.dhs.gov – Emergency Directive 21-01.” 13 Dec. 2020, https://cyber.dhs.gov/ed/21-01/. Accessed 14 Dec. 2020.
    5. See https://attack.mitre.org/techniques/T1558/003/

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×