Author: Shashank Jain
1. Executive Summary
On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.1 This advisory detailed FireEye’s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor’s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.
On 15 April, the Biden administration released a statement2 formally attributing the SolarWinds supply chain compromise to Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and the Dukes). The statement reported that the compromise of the SolarWinds software supply chain gave threat actors the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide, including U.S. government agencies, business customers, consulting firms, and more.
Infoblox published several Cyber Threat Advisories3 about this campaign, as well as additional information about its wide-ranging effects after conducting several internal investigations. We also summarized some of the latest information from OSINT, conveyed what we were able to validate at the time, and provided additional IOCs.
In this update, we have included new information provided by the latest alert4 from the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD) Cyber National Mission Force (CNMF) on additional SolarWinds-related malware variants – referred to as SUNSHUTTLE and SOLARFLARE.
This update also extended to cover recent Russian SVR activities, including compromising SolarWinds Orion software updates,5 targeting COVID-19 research facilities through deploying WellMess malware and leveraging a VMware vulnerability that was zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.
2.1. New SolarWinds-Related Malware Variants
CISA and the DoD have reported additional malware variants related to SolarWinds: SUNSHUTTLE and SOLARFLARE. The identified malicious samples and associated artifacts can be attributed to the Russian SVR based on the methods and patterns used throughout their hacking operation.
The analysis covered a total of 18 files:
- Seven of them were identified as executables that attempt to connect to hard-coded command and control (C&C) servers using Hypertext Transfer Protocol Secure (HTTPS) on port 443 and await a response upon execution.
- One is a text file that appears to be a configuration file for a SUNSHUTTLE sample.
- Six of the files are Visual Basic Script (VBScript) files designed to add the Windows registry keys to store and execute an obfuscated VBScript that will download and execute a malicious payload from its C&C server. The VBScripts were identified as MISPRINT/SIBOT.
- One of the analyzed files was identified as a server-side China Chopper web shell component observed on a network with an active SUNSHUTTLE infection. The web shell can provide a threat actor with an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.
- Three executables identified by FireEye as SOLARFLARE malware are written in Golang (Go) and packed using the Ultimate Packer for Executables (UPX). One was unpacked and included in this report.
Relatedly, FireEye also identified four executables as SUNSHUTTLE,6 a second-stage backdoor written in Go that features some detection evasion capabilities. Two of which were unpacked and included in this report.
The use of the same language (i.e GoLang) in all seven malicious binaries, as well as similar packing techniques, indicates that the same threat actor created all of the reported malicious binaries.
2.2. Russian SVR Targets U.S. and Allied Networks
The SVR has exploited – and continues to successfully exploit – the following software vulnerabilities to gain initial footholds into victim devices and networks. Exploiting these vulnerabilities allowed threat actors to execute unauthorized code.
- CVE-2018-13379 Fortinet: A path transversal vulnerability allows an authenticated attacker to download system files via specially-crafted HTTP resource requests.
- CVE-2019-9670 Zimbra: An XML External Entity injection (XXE) vulnerability in mailboxd component that allowed unauthenticated code execution.
- CVE-2019-11510 Pulse Secure: A critical arbitrary file disclosure vulnerability in Pulse Connect Secure that allowed an authenticated user to obtain usernames and plaintext passwords from vulnerable endpoints.
- CVE-2019-19781 Citrix: A critical directory transversal vulnerability in Citrix Application Delivery Controller that allowed an unauthenticated attacker to perform arbitrary code execution.
- CVE-2020-4006 VMware: A command injection vulnerability in VMWare products that allowed unauthenticated code execution.
3. Prevention and Mitigation
The National Security Agency (NSA), CISA, and the Federal Bureau of Investigation (FBI) jointly issued a cybersecurity advisory, Russian SVR Targets U.S. and Allied Networks,7 that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR’s malicious cyber activity. Also, CISA has included details of new malicious binaries including YARA rules for most of them to defend against those malicious binaries.
3.1. Indicators of Compromise
Below is a supplementary list of IOCs related to this attack, according to OSINT. CISA published an extended list of IOCs in their 15 April report8 on the campaign. This table only includes the latter.
Additional hashes related to SolarWinds attack
Additional domains related to SolarWinds attack
Additional IPS related to SolarWinds attack