Author: Nathan Toporek
1. Executive Summary
On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.
2.1. SUNBURST Backdoor
The SolarWinds.Orion.Core.BusinessLayer.dll file is a digitally-signed part of Orion software that contains the SUNBURST backdoor and is installed during either a routine software update or during initial SolarWinds Orion installation. Between twelve and fourteen days after the initial compromise, SUNBURST will create a unique pipe that ensures only one instance of itself runs on an infected machine. It will then read and modify the SolarWinds.Orion.Core.BusinessLayer.dll.config file’s appSettings field to repurpose it for a persistent configuration. SUNBURST then checks that it is a part of the victim’s domain, generates a userID and reads an initial value from its configuration.
SUNBURST will iterate over a known blocklist of services and set the associated registry key values to four to disable these services. Once it disables all blocklisted services, SUNBURST will resolve the domain api[.]solarwinds[.]com to test for, and confirm, internet connectivity. SUNBURST then uses a domain generation algorithm (DGA) to determine and resolve a random subdomain of a malicious second-level domain (SLD). It is important to note that in some cases, the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims.2
SUNBURST will wait between each DGA resolution; in some cases, it will wait between one and three minutes; in others, 30 to 120 minutes; and on error conditions, it will wait between 420 and 540 minutes. If a DNS response’s A record is within a known set of classless inter-domain routing (CIDR) blocks, SUNBURST will modify its configuration to prevent future execution before terminating itself.
When SUNBURST retrieves a CNAME record in its response, it will start an HTTP thread that manages command and control (C&C) communications. This thread will wait a configurable amount of time (at least one minute) between requests. It uses the HTTP GET or HEAD methods when requesting data from the C&C, as well as the HTTP POST or PUT methods to send data in the form of a JSON blob to the C&C. Responses appear as benign XML data, but the data has commands encoded in both Globally Unique Identifier (GUID) data and other hexadecimal (HEX) data.
2.2. TEARDROP & BEACON Malware
FireEye reported that SUNBURST delivered multiple payloads, and on at least one occasion, they observed it delivering TEARDROP – a unique, memory-only dropper. Actors likely used TEARDROP to deploy Cobalt Strike’s BEACON malware.
2.3. Sophisticated Actor Behavior and Additional Malware
The actor(s) behind this attack exercised highly-sophisticated operational security (OPSEC) while carrying out operations against their victims. They:
- Ensured hostnames matched the victim’s environment,
- Used IP addresses in the same country as the victim,
- Used separate credentials for remote access and lateral movement, and
- Temporarily overwrote files with malicious utilities to later rewrite the original file contents.
These actor(s) also leveraged two additional variants of malware: COSMICGATE and SUPERNOVA. COSMICGATE is a credential stealer written in PowerShell, and SUPERNOVA is a Windows .NET program that acts as a legitimate SolarWinds HTTP handler.
3. Prevention and Mitigation
FireEye recommends upgrading to Orion Platform release 2020.2.1 HF 1 if possible. If an organization is unable to upgrade to this version of Orion, they recommend taking the following actions:
- Disconnect SolarWinds servers from the internet and isolate them, or restrict access from SolarWinds servers if this is not possible.
- Rotate credentials to accounts that have access to SolarWinds servers and/or infrastructure.
- Review network configurations created by SolarWinds, looking for anomalies.
Microsoft’s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation-state activity.3
In addition to this, the US Department of Homeland Security (DHS) recommends taking the following actions once all known malicious accounts and persistence methods have been removed:4
- Assume all hosts monitored by SolarWinds Orion software are compromised.
- Rebuild hosts monitored by SolarWinds Orion software.
- Take actions to remediate Kerberoasting;5 engage with third parties experienced in dealing with APTs as needed.
4. Indicators of Compromise
Below is a list of known IOCs related to this attack. As stated above, in some cases the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may grow as organizations investigate their environments and share their findings.
Path used by TEARDROP malware
fc00:: – fe00::
fec0:: – ffc0::
ff00:: – ff00::
|SUNBURST ceases execution if it receives a DNS A record response in these CIDR blocks|
Additional countermeasures / IOCs provided by FireEye
- “Highly Evasive Attacker Leverages SolarWinds Supply Chain ….” 13 Dec. 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. Accessed 14 Dec. 2020.
- “SANS Emergency Webcast: What you need to know about the ….” 14 Dec. 2020, https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015. Accessed 14 Dec. 2020.
- Microsoft Security Response Centre – https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- “cyber.dhs.gov – Emergency Directive 21-01.” 13 Dec. 2020, https://cyber.dhs.gov/ed/21-01/. Accessed 14 Dec. 2020.
- See https://attack.mitre.org/techniques/T1558/003/