Authors: Victor Sandin and Darby Wise
1. Executive Summary
On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.1 This advisory detailed FireEye’s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor’s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.2 The threat actor behind the campaign carried out a complex attack chain and demonstrated highly sophisticated TTPs, indicating it was the work of an advanced persistent threat (APT) group. Known victims include government agencies, as well as private sector and critical infrastructure organizations.3
Since the publishing of our previous report, we have gathered additional information about the wide-ranging effects of this campaign, and are conducting several internal investigations. We are publishing this update to share some of the latest information from OSINT, as well as convey what we have been able to validate. This report also includes additional IOCs.
2.1. Updates on Supply Chain Attack
As previously reported, the threat actor used a highly sophisticated attack chain to deliver malicious code via a backdoor injected into a dynamic-link library (DLL) that was a part of a legitimate update to some versions of SolarWinds Orion software (SolarWinds.Orion.Core.BusinessLayer.dll). Based on the update release date and passive DNS (pDNS) data, this breach started as early as March 2020. However, ReversingLabs has reportedly found that in October 2019, the threat actor distributed malicious files without the embedded backdoor to test whether or not these files would be detected.4
The threat actor was able to remain undetected for an extended period of time by employing sophisticated obfuscation methods such as imitating the legitimate SolarWinds coding style and naming standards, using virtual private servers (VPSs) with IPs native to the victim’s home country, and leveraging compromised security tokens for lateral movement. Further analysis indicates that the threat actor used escalated Active Directory privileges to compromise the Security Assertion Markup Language (SAML) signing certificate and create valid tokens that could be used to access environment resources for data exfiltration.
According to a new alert from the Cybersecurity and Infrastructure Security Agency (CISA), it appears that the threat actor used multiple initial access vectors in addition to the SolarWinds Orion platforms. Volexity reported to have evidence connecting the TTPs from this campaign to multiple incidents from late 2019 and early 2020 targeting a US-based think tank. Volexity designated the actor responsible for these attacks Dark Halo.5 In one of these incidents, Volexity observed the APT using a stolen secret key, known as an akey, to generate a cookie to bypass the Duo multi-factor authentication (MFA) service and access a user’s email via the Outlook Web App (OWA). While we are still investigating our non-Orion products, to date, we have not seen evidence that they are impacted by SUNBURST.
Our previous report included information from FireEye stating the APT deployed other variants of malware as additional payloads, including TEARDROP, SUPERNOVA, and COSIMICGALE. Since then, ZDNet has come out in agreement that the threat actor downloaded TEARDROP, a memory-only dropper, but also reported that security researchers’ and Microsoft’s further analysis indicates SUPERNOVA and COSMICGALE were not part of this campaign’s attack chain and should be considered as a separate attack targeting CVE-2019-8917.6
2.2. Decoding the DGA Algorithm
Several teams have published findings pertaining to decoding the elements of the FQDNs created by the threat actor’s DGA. The RedDrip Team from QiAnXin Technology published a decoder and that the structures of the subdomains were composed of three parts: a globally unique identifier (GUID) value composed of the hash of the hostname and MAC address of the first or default active and non-loopback interface; a single byte indicating if it is the first, second or third part of the payload (infected system domain name); and finally, a custom base32-encoded hostname to identify the victim. Longer domains are split across multiple queries and assembled later by matching the GUID section after applying a byte-by-byte exclusive OR.7,8
- The decoded value for the single byte indicating which part of the payload the subdomain includes ranges from 0 to 35. The first part of the payload will have a byte value of 0 if the domain is long enough to require multiple requests. Infected systems with short domain names will have only one request with a byte value of 35.
Subsequently, the NETRESEC team created a tool to further decode the SUNBURST subdomains in an effort to help identify SUNBURST victims. Since 18 December, they have released several versions of the decoder.9
2.3. DNS Activity
From a DNS perspective, Infoblox has been able to verify that once a victim has been infected with SUNBURST, the malware beacons to avsvmcloud[.]com with a hostname designed by a DGA to exfiltrate data about the victim, as described above. The threat actor can return one of several responses in the form of an IP. We have not yet been able to determine, nor seen reporting in OSINT, about what factor(s) trigger different responses from the threat actor. From our analysis it appears that the number of entities that receive direction to move to the second stage domains, passed via a CNAME resolution, is much smaller than the overall number that contact the initial server. It remains unclear how the actor chooses which victims to move into different stages of the attack.
Our analysis has also shown that if queries resolve to an IP that matches a pattern producing an address family as “NetBios,” it appears to trigger certain follow-on activity. IPs match a pattern producing an address family as “Implink” or “Atm” serve as prompts for enumerating processes and services. IPs that resolve as “Ipx” appear to be requests for updates to local “Status” configurations. Infoblox has not observed data to confirm this. Other address families appear to include “InterNetwork,” “InterNetworkV6,” and “Error.”
3. Prevention and Mitigation
FireEye, in coordination with GoDaddy, recently transferred control of the command and control (C&C) domain (avsvmcloud[.]com) to Microsoft to disable the SUNBURST backdoor from further execution.10 GoDaddy created a wildcard DNS resolution ensuring any subdomain of the threat actor’s C&C resolving to an IP address will not prompt any follow-on actions.
While this new DNS resolution will disable SUNBURST backdoor deployments connecting to the C&C, FireEye has stated that the attackers may have deployed other backdoors preventing the victims from removing the threat actor completely from their networks.
CISA included in their alert detailed mitigations for organizations that use the specific products affected by this attack chain.3
FireEye recommends the following upgrades to its affected customers, if possible:
- Customers using Orion Platform v2020.2 with no hotfix or 2020.2.1 HF1 should upgrade to 2020.2.1 HF 2, or
- Customers using Orion Platform v2019.4 HF 5 should upgrade to 2019.4 HF 6.
If an organization is unable to upgrade to this version of Orion, FireEye recommends taking the following actions:
- Disconnect SolarWinds servers from the Internet and isolate them, or restrict access from SolarWinds servers if this is not possible.
- Rotate credentials to accounts that have access to SolarWinds servers and/or infrastructure.
- Review network configurations created by SolarWinds, looking for anomalies.
Microsoft’s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation state activity.11
It is important to block all communications to the threat actor’s C&C servers that are listed in the IOC table, as well as any further indicators released by security vendors confirmed to be part of this campaign.
4. Indicators of Compromise
Below is a supplementary list of IOCs related to this attack, according to OSINT. The CISA published an extended list of IOCs in their 17 December report on the campaign.
As stated in our previous report, in some cases the actor behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may continue to grow as organizations investigate their environments and share their findings.
4.1. Additional Indicators
|SUNBURST DLL SHA256|
Additional IOCs from Volexity report
Additional SUNBURST domains