SolarWinds Third Update

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Shashank Jain

TLP: WHITE

 

1.  Executive Summary

On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds’ Orion IT monitoring and management software.1 This advisory detailed FireEye’s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor’s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.

On 15 April, the Biden administration released a statement2 formally attributing the SolarWinds supply chain compromise to Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and the Dukes). The statement reported that the compromise of the SolarWinds software supply chain gave threat actors the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide, including U.S. government agencies, business customers, consulting firms, and more.

Infoblox published several Cyber Threat Advisories3 about this campaign, as well as additional information about its wide-ranging effects after conducting several internal investigations. We also summarized some of the latest information from OSINT, conveyed what we were able to validate at the time, and provided additional IOCs.

In this update, we have included new information provided by the latest alert4 from the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD) Cyber National Mission Force (CNMF) on additional SolarWinds-related malware variants – referred to as SUNSHUTTLE and SOLARFLARE.

This update also extended to cover recent Russian SVR activities, including compromising SolarWinds Orion software updates,5 targeting COVID-19 research facilities through deploying WellMess malware and leveraging a VMware vulnerability that was zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.

2.  Analysis

2.1.   New SolarWinds-Related Malware Variants

CISA and the DoD have reported additional malware variants related to SolarWinds: SUNSHUTTLE and SOLARFLARE. The identified malicious samples and associated artifacts can be attributed to the Russian SVR based on the methods and patterns used throughout their hacking operation.

The analysis covered a total of 18 files:

  • Seven of them were identified as executables that attempt to connect to hard-coded command and control (C&C) servers using Hypertext Transfer Protocol Secure (HTTPS) on port 443 and await a response upon execution.
  • One is a text file that appears to be a configuration file for a SUNSHUTTLE sample.
  • Six of the files are Visual Basic Script (VBScript) files designed to add the Windows registry keys to store and execute an obfuscated VBScript that will download and execute a malicious payload from its C&C server. The VBScripts were identified as MISPRINT/SIBOT.
  • One of the analyzed files was identified as a server-side China Chopper web shell component observed on a network with an active SUNSHUTTLE infection. The web shell can provide a threat actor with an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.
  • Three executables identified by FireEye as SOLARFLARE malware are written in Golang (Go) and packed using the Ultimate Packer for Executables (UPX). One was unpacked and included in this report.

Relatedly, FireEye also identified four executables as SUNSHUTTLE,6 a second-stage backdoor written in Go that features some detection evasion capabilities. Two of which were unpacked and included in this report.

The use of the same language (i.e GoLang) in all seven malicious binaries, as well as similar packing techniques, indicates that the same threat actor created all of the reported malicious binaries.

2.2.   Russian SVR Targets U.S. and Allied Networks

The SVR has exploited – and continues to successfully exploit – the following software vulnerabilities to gain initial footholds into victim devices and networks. Exploiting these vulnerabilities allowed threat actors to execute unauthorized code.

  • CVE-2018-13379 Fortinet: A path transversal vulnerability allows an authenticated attacker to download system files via specially-crafted HTTP resource requests.
  • CVE-2019-9670 Zimbra: An XML External Entity injection (XXE) vulnerability in mailboxd component that allowed unauthenticated code execution.
  • CVE-2019-11510 Pulse Secure: A critical arbitrary file disclosure vulnerability in Pulse Connect Secure that allowed an authenticated user to obtain usernames and plaintext passwords from vulnerable endpoints.
  • CVE-2019-19781 Citrix: A critical directory transversal vulnerability in Citrix Application Delivery Controller that allowed an unauthenticated attacker to perform arbitrary code execution.
  • CVE-2020-4006 VMware: A command injection vulnerability in VMWare products that allowed unauthenticated code execution.

3.     Prevention and Mitigation

The National Security Agency (NSA), CISA, and the Federal Bureau of Investigation (FBI) jointly issued a cybersecurity advisory, Russian SVR Targets U.S. and Allied Networks,7 that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR’s malicious cyber activity. Also, CISA has included details of new malicious binaries including YARA rules for most of them to defend against those malicious binaries.

3.1.     Indicators of Compromise

Below is a supplementary list of IOCs related to this attack, according to OSINT. CISA published an extended list of IOCs in their 15 April report8 on the campaign. This table only includes the latter.

Indicators

Description

0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9

0d770e0d6ee77ed9d53500688831040b83b53b9de82afa586f20bb1894ee7116

4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec

6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd

7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb

88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07

94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45

acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66

b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8

cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c

e9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15

ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def

f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c

f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2

a9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f

bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df

d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d        fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836

Additional hashes related to SolarWinds attack

eyetechltd[.]com

megatoolkit[.]com

nikeoutletinc[.]org

reyweb[.]com

sense4baby[.]fr

Additional domains related to SolarWinds attack
185[.]225[.]69[.]69

Additional IPS related to SolarWinds attack

Endnotes

  1. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-solarwinds-supply-chain-attack/
  2. .https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
  3. https://blogs.infoblox.com/cyber-threat-intelligence/solarwinds-and-sunburst-update/
  4. https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/cisa-and-cnmf-analysis-solarwinds-related-malware
  5. https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied
  6. https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html
  7. https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
  8. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×