SolarWinds Second Update

Authors: Victor Sandin and Jeremy Ware

TLP:WHITE

1.  Executive Summary

On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.¹ This advisory detailed FireEye’s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor’s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.²

The threat actor behind the campaign carried out a complex attack chain and demonstrated highly sophisticated TTPs, indicating it was the work of an advanced persistent threat (APT) group. In a 5 January joint statement, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ONI), and the National Security Agency (NSA) indicated that based on its investigations, the APT is likely Russian in origin.³ Known victims include government agencies, as well as private sector and critical infrastructure organizations.⁴

In our first update, we shared additional information about the wide-ranging effects of this campaign after conducting several internal investigations.⁵ We summarized some of the latest information from OSINT, as well as conveyed what we were able to validate at the time and provided additional IOCs.

Today’s update includes new information provided by the latest alert from CISA and recent OSINT on additional attack vectors, use of anti-analysis blocklists, additional information in privilege escalation and persistence, compromised accounts and applications in Azure/Microsoft 365 environments, and command and control protocol. We have also updated the IOC table with new information.

2.  Analysis

                 2.1.  Updates on Supply Chain Attack and Initial Vectors

As previously reported, evidence suggests the threat actor(s) used additional initial attack vectors beyond SolarWinds’ Orion software. In some incidents under investigation by CISA,⁶ threat actor(s) appeared to have obtained initial access through brute force techniques such as password guessing and password spraying, as well as compromised administrative credentials accessible via external remote access services.

                 2.2.  Anti-Analysis Blocklists

According to CISA, to disguise the strings used to detect security products, the threat actors calculated and embedded in the code a list of custom hashes produced by the cryptographic hash function FNV-1A and an XOR operation. It is computationally expensive to determine which string a hash value corresponds to, but by joint efforts from the information security community, all of the hashes have been successfully bruteforced and published to FireEye’s GitHub.⁷

SUNBURST malware checks processes, services and device names against its blocklist. If a blocklisted process or driver is found, it pauses execution and attempts the process again later. If a blocklisted service is found, SUNBURST attempts to disable it by editing the service configuration in the Windows Registry. After this modification, the backdoor updates the ReportWatcherPostpone configuration value to reflect which service was disabled. Subsequent service blocklist checks skip services present in this configuration value. SUNBURST will continue past this check only when there are no processes nor drivers from the blocklist present.

                 2.3.  Updates on Privilege Escalation and Persistence

As previously reported, the threat actors compromised the Security Assertion Markup Language (SAML) signing certificate using their escalated AD privileges to create valid tokens and present them to services that trust SAML tokens from the environment. CISA has observed that the threat actors also added authentication credentials by assigning tokens and certificates to existing Azure/Microsoft 365 application service principals. These tokens provide them programmatic management of Microsoft Cloud tenants to operate on the hosted resources. This technique allows threat actors to maintain persistence without generating significant evidence or telemetry because not all Microsoft 365 licensing levels log these events.

Microsoft reported⁸ that in some cases, threat actors have also added one or more new federation trusts to existing on-premises infrastructure so that authentication could possibly happen outside of the organization’s known infrastructure and therefore potentially not be visible to the legitimate system owner.

                 2.4.  Compromised Azure/Microsoft 365 Resources

CISA also reported that the threat actor(s) could have compromised accounts and applications in Azure/Microsoft 365 environments. This would leave certain indicators of compromise (IOCs) in the unified audit log in Azure/M365, as well as changes in the Azure service principles. CISA has developed a PowerShell tool called Sparrow.ps1⁹ to check the unified audit log and detect these compromises.

                 2.5.  Command and Control Coordinator Protocol

SUNBURST uses a two-part C&C protocol that involves DNS and HTTPS. In passive mode, which is also the starting mode, the malware communicates using only DNS and receives high-level updates to its state from its C&C (avsvmcloud[.]com). We described both the DGA and the DNS activity in our previous report.¹⁰

When the C&C server responds with a DNS CNAME response, SUNBURST switches its mode to active and will communicate via HTTPS to its final C&C server and receives detailed commands for actions such as spawning a process or transferring a file. This transition only happens if SUNBURST receives a DNS A record response pointing to a specific subnetwork. It will then use the least significant bit from the A record IP address to determine the proxy method and Uniform Resource Identifier (URI) scheme to use, as well as a delay value used in the HTTPS thread.

Once SUNBURST is in active mode, the backdoor uses GET and POST requests to communicate with its C&C server. When sending a GET request, the malware adds an If-None-Match HTTPS header that includes the encoded user ID. This likely allows the C&C server to determine which SUNBURST installation generated the request, further enabling multiplexing of C&C streams on a single server.

The C&C server uses steganography techniques to hide data within the response that attempts to appear as benign XML related to .NET assemblies.

                 2.6.  HTTPS Backdoor

In active mode, the backdoor receives the command to execute from the HTTPS response. FireEye has analyzed the capabilities of SUNBURST, which include:¹¹

• Collect system information including hostname, username, OS version, MAC addresses, IP address, DHCP configuration and domain information;
• Start new processes with a given file path and arguments;
• List running processes along with their parent process PID and the user and domain of the processes owner;
• Kill processes;
• List files and directories of a given path;
• Test if a given file exists, as well as edit and remove files;
• Get MD5 of a given file and check if the hash of a given file matches a given hash;
• Read, write and delete Windows registry keys;
• List subkeys and value names beneath the given registry path; and
• Reboot

The results of these commands are compressed and single-byte XOR-encoded with the XOR key prepended to the message. The message is then turned into JSON documents that resemble the Orion Improvement Program (OIP) messages used legitimately by SolarWinds.

                 2.7.  Mode of Operation

SUNBURST has three modes of operation: active, passive and disabled. The backdoor configuration key ReportWatcherRetry contains the last running mode of the malware.

As we described above, during passive mode, SUNBURST performs only DNS beaconing containing the user AD domain. In active mode, Infoblox has confirmed that the process begins once the CNAME resolves with the local resolver. The backdoor then creates the DGA domain and records a new address as the CNAME. The class triggering the HTTPS backdoor later uses this CNAME. If the specific cider ranges return, or if no CNAME is returned, SUNBURST will either attempt again later or switch to disabled mode and it stops further execution unless the backdoor configuration key is edited.

3.  Prevention and Mitigation

CISA has included new guidelines for networks containing the malicious binary but with no evidence of secondary C&C activity to a separate domain or IP address, actions on objectives (AOOs) such as SAML token abuse, or any other adversary activities. In these cases, they indicate that organizations can rebuild the platform, harden the configuration based on SolarWinds secure configuration guidelines and resume use as determined by and consistent with their own thorough risk evaluation.

                 3.1.  Indicators of Compromise

Below is a supplementary list of IOCs related to this attack, according to OSINT. CISA published an extended list of IOCs in their 17 December report on the campaign and it was updated on January 7th with new indicators. This table includes only the latter.

Indicators	Description
ervsystem[.]com infinitysoftwares[.]com mobilnweb[.]com	Additional SUNBURST domains
02af7cec58b9a5da1c542b5a32151ba1 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c	Additional SSL hashes
02af7cec58b9a5da1c542b5a32151ba1 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c 1b476f58ca366b54f34d714ffce3fd73cc30db1a 20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d 2dafddbfb0981c5aa31f27a298b9c804e553c7bc 6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d 92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d fd15760abfc0b2537b89adc65b1ff3f072e7e31c ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8	Additional SUNBURST hashes
107[.]152[.]35[.]77 13[.]59[.]205[.]66 173[.]237[.]190[.]2 198[.]12[.]75[.]112 20[.]141[.]48[.]154 34[.]203[.]203[.]23	Additional SUNBURST IPs

Endnotes

1. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-solarwinds-supply-chain-attack/
2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
3. https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
4. https://us-cert.cisa.gov/ncas/alerts/aa20-352a
5. https://blogs.infoblox.com/cyber-threat-intelligence/solarwinds-and-sunburst-update/
6. https://us-cert.cisa.gov/ncas/alerts/aa20-352a
7. https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
8. https://us-cert.cisa.gov/ncas/alerts/aa20-352a CISA reported the Microsoft finding, and refers to a query to identify these cases by Microsoft, as posted in https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
9. https://github.com/cisagov/Sparrow
10. https://blogs.infoblox.com/cyber-threat-intelligence/solarwinds-and-sunburst-update/
11. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html