Authors: Victor Sandin and Darby Wise
TLP:WHITE

1.  Executive Summary

On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.¹ This advisory detailed FireEye’s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor’s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.² The threat actor behind the campaign carried out a complex attack chain and demonstrated highly sophisticated TTPs, indicating it was the work of an advanced persistent threat (APT) group. Known victims include government agencies, as well as private sector and critical infrastructure organizations.³

Since the publishing of our previous report, we have gathered additional information about the wide-ranging effects of this campaign, and are conducting several internal investigations. We are publishing this update to share some of the latest information from OSINT, as well as convey what we have been able to validate. This report also includes additional IOCs.

2.  Analysis

                 2.1.   Updates on Supply Chain Attack

As previously reported, the threat actor used a highly sophisticated attack chain to deliver malicious code via a backdoor injected into a dynamic-link library (DLL) that was a part of a legitimate update to some versions of SolarWinds Orion software (SolarWinds.Orion.Core.BusinessLayer.dll). Based on the update release date and passive DNS (pDNS) data, this breach started as early as March 2020. However, ReversingLabs has reportedly found that in October 2019, the threat actor distributed malicious files without the embedded backdoor to test whether or not these files would be detected.⁴

The threat actor was able to remain undetected for an extended period of time by employing sophisticated obfuscation methods such as imitating the legitimate SolarWinds coding style and naming standards, using virtual private servers (VPSs) with IPs native to the victim’s home country, and leveraging compromised security tokens for lateral movement. Further analysis indicates that the threat actor used escalated Active Directory privileges to compromise the Security Assertion Markup Language (SAML) signing certificate and create valid tokens that could be used to access environment resources for data exfiltration.

According to a new alert from the Cybersecurity and Infrastructure Security Agency (CISA), it appears that the threat actor used multiple initial access vectors in addition to the SolarWinds Orion platforms. Volexity reported to have evidence connecting the TTPs from this campaign to multiple incidents from late 2019 and early 2020 targeting a US-based think tank. Volexity designated the actor responsible for these attacks Dark Halo.⁵ In one of these incidents, Volexity observed the APT using a stolen secret key, known as an akey, to generate a cookie to bypass the Duo multi-factor authentication (MFA) service and access a user’s email via the Outlook Web App (OWA). While we are still investigating our non-Orion products, to date, we have not seen evidence that they are impacted by SUNBURST.

Our previous report included information from FireEye stating the APT deployed other variants of malware as additional payloads, including TEARDROP, SUPERNOVA, and COSIMICGALE. Since then, ZDNet has come out in agreement that the threat actor downloaded TEARDROP, a memory-only dropper, but also reported that security researchers’ and Microsoft’s further analysis indicates SUPERNOVA and COSMICGALE were not part of this campaign’s attack chain and should be considered as a separate attack targeting CVE-2019-8917.⁶

                 2.2.   Decoding the DGA Algorithm

Several teams have published findings pertaining to decoding the elements of the FQDNs created by the threat actor’s DGA. The RedDrip Team from QiAnXin Technology published a decoder and that the structures of the subdomains were composed of three parts: a globally unique identifier (GUID) value composed of the hash of the hostname and MAC address of the first or default active and non-loopback interface; a single byte indicating if it is the first, second or third part of the payload (infected system domain name); and finally, a custom base32-encoded hostname to identify the victim. Longer domains are split across multiple queries and assembled later by matching the GUID section after applying a byte-by-byte exclusive OR.^7,8

• The decoded value for the single byte indicating which part of the payload the subdomain includes ranges from 0 to 35. The first part of the payload will have a byte value of 0 if the domain is long enough to require multiple requests. Infected systems with short domain names will have only one request with a byte value of 35.

Subsequently, the NETRESEC team created a tool to further decode the SUNBURST subdomains in an effort to help identify SUNBURST victims. Since 18 December, they have released several versions of the decoder.⁹

                 2.3.   DNS Activity

From a DNS perspective, Infoblox has been able to verify that once a victim has been infected with SUNBURST, the malware beacons to avsvmcloud[.]com with a hostname designed by a DGA to exfiltrate data about the victim, as described above. The threat actor can return one of several responses in the form of an IP. We have not yet been able to determine, nor seen reporting in OSINT, about what factor(s) trigger different responses from the threat actor. From our analysis it appears that the number of entities that receive direction to move to the second stage domains, passed via a CNAME resolution, is much smaller than the overall number that contact the initial server. It remains unclear how the actor chooses which victims to move into different stages of the attack.

Our analysis has also shown that if queries resolve to an IP that matches a pattern producing an address family as “NetBios,” it appears to trigger certain follow-on activity. IPs match a pattern producing an address family as “Implink” or “Atm” serve as prompts for enumerating processes and services. IPs that resolve as “Ipx” appear to be requests for updates to local “Status” configurations. Infoblox has not observed data to confirm this. Other address families appear to include “InterNetwork,” “InterNetworkV6,” and “Error.”

3.  Prevention and Mitigation

FireEye, in coordination with GoDaddy, recently transferred control of the command and control (C&C) domain (avsvmcloud[.]com) to Microsoft to disable the SUNBURST backdoor from further execution.¹⁰ GoDaddy created a wildcard DNS resolution ensuring any subdomain of the threat actor’s C&C resolving to an IP address will not prompt any follow-on actions.

While this new DNS resolution will disable SUNBURST backdoor deployments connecting to the C&C, FireEye has stated that the attackers may have deployed other backdoors preventing the victims from removing the threat actor completely from their networks.

CISA included in their alert detailed mitigations for organizations that use the specific products affected by this attack chain.³

FireEye recommends the following upgrades to its affected customers, if possible:

• Customers using Orion Platform v2020.2 with no hotfix or 2020.2.1 HF1 should upgrade to 2020.2.1 HF 2, or
• Customers using Orion Platform v2019.4 HF 5 should upgrade to 2019.4 HF 6.

If an organization is unable to upgrade to this version of Orion, FireEye recommends taking the following actions:

• Disconnect SolarWinds servers from the Internet and isolate them, or restrict access from SolarWinds servers if this is not possible.
• Rotate credentials to accounts that have access to SolarWinds servers and/or infrastructure.
• Review network configurations created by SolarWinds, looking for anomalies.

Microsoft’s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation state activity.¹¹

It is important to block all communications to the threat actor’s C&C servers that are listed in the IOC table, as well as any further indicators released by security vendors confirmed to be part of this campaign.

4.  Indicators of Compromise

Below is a supplementary list of IOCs related to this attack, according to OSINT. The CISA published an extended list of IOCs in their 17 December report on the campaign.

As stated in our previous report, in some cases the actor behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may continue to grow as organizations investigate their environments and share their findings.

                 4.1.   Additional Indicators

Indicator	Description
e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d 92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71	SUNBURST DLL SHA256
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/	Additional IOCs from Volexity report
databasegalore[.]com deftsecurity[.]com digitalcollege[.]org freescanonline[.]com globalnetworkissues[.]com highdatabase[.]com incomeupdate[.]com kubecloud[.]com lcomputers[.]com panhardware[.]com seobundlekit[.]com solartrackingsystem[.]net thedoccloud[.]com virtualwebdata[.]com websitetheme[.]com webcodez[.]com zupertech[.]com	Additional SUNBURST domains

Endnotes

1. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-solarwinds-supply-chain-attack/
2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
3. https://us-cert.cisa.gov/ncas/alerts/aa20-352a
4. https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
5. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
6. https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/
7. https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
8. https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
9. https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
10. https://krebsonsecurity.com/2020/12/malicious-domain-in-solarwinds-hack-turned-into-killswitch/

11.  https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/