Threat Flash Alert: Sunburst SolarWinds Supply Chain Attack
UPDATED SOLARWINDS ALERT
According to the latest information available, the current hotfix for the Orion platform released by Solarwinds is functioning properly and can be applied. The current patch update is 2020.2.1 HF 2. If you were on a compromised version, we are also linking a password dumping tool to analyze the accounts that were stored on your Orion server which will allow you to target and change the relevant passwords. This tool can be found here.
SolarWinds asks customers with any of the known affected products for Orion Platform v2020.2 with no hotfix or with 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment. This version is currently available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.
All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates.
If you are running a version prior or equal to Orion Platform version 2019.4 HF 4, we do not believe that your system was compromised with this vulnerability and therefore are not recommending that any action is required to protect against this vulnerability.
SOD is also tracking a secondary backdoor, currently titled Supernova, that affects the same Orion releases but appears to be unrelated to Sunburst and has been attributed to different threat actors. Apparently, these threat actors obtained access to various SolarWinds installations via exploitation of vulnerability CVE-2019-8917. Supplemental guidance for that backdoor is to check an additional .dll file hash to determine if you were compromised. IoC’s for Supernova are available here.
***End of Update***
SolarWinds Attack Event Summary
The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory over the weekend alerting of an ongoing exploitation of the Solarwinds Orion platform versions 2019.4 through 2020.2.1. This exploitation, discovered and initially reported by Fireeye, has allegedly been ongoing for months and is “widespread” with many “public and private organizations around the world” having already been exploited. If your organization is currently using a vulnerable platform it is recommended that you update to Orion platform version 2020.2.1 HF2 as soon as possible. It is also important that you investigate your Solarwinds platform for signs of compromise. If compromise is discovered, we recommend launching incident response procedures according to your internal procedures.
Fireeye reports that a library in the Orion software called, “SolarWinds.Orion.Core.BusinessLayer.dll” contains a backdoor that communicates out to command and control servers for a malicious third party, some reports suggest that third party is the Russian government. This is a legitimate library in Solarwinds and is digitally signed. Apparently, somewhere within the supply chain this library was altered and a backdoor coded in and therefore it exists in all Solarwinds Orion software versions listed in the Executive Summary.
The “trojanized” version of this library lies dormant for up to two weeks. Once it is activated it executes commands to conduct malicious activities on the system such as file transfer, disabling system services, or executing files. Additionally, the malware identifies anti-virus and endpoint protection tools and attempts to bypass or disable them. On the network the malware attempts to blend in and look like legitimate and normal traffic by masquerading as the Orion Improvement Program protocol. It then stores data ready for exfiltration within a legitimate Orion plugin.
We recommend that all organizations using a compromised version upgrade to version 2020.2.1 HF1 immediately and then to 2020.2.1 HF2 on Tuesday the 15th or when it is ultimately released.
Additionally, Fireye provided Yara rules for detecting a dropper malware called TEARDROP that can be applied to your IDS/IPS or other security systems. Those Yara rules are available on the Fireeye Github.
We also recommend that you investigate your environment for indications of a data breach. Fireeye provided detection recommendations, provided for you below:
Detection Opportunity: The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders — querying internet-wide scan data sources for an organization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note: IP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment. There is likely to be a single account per IP address.
IP Addresses located in Victim’s Country
The attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.
Detection Opportunity: This also presents some detection opportunities, as geolocating IP addresses used for remote access may show an impossible rate of travel if a compromised account is being used by the legitimate user and the attacker from disparate IP addresses. The attacker used multiple IP addresses per VPS provider, so once a malicious login from an unusual ASN is identified, looking at all logins from that ASN can help detect additional malicious activity. This can be done alongside baselining and normalization of ASN’s used for legitimate remote access to help identify suspicious activity.
Lateral Movement Using Different Credentials
Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access.
Detection Opportunity: Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. This will uncover any single system authenticating to multiple systems with multiple accounts, a relatively uncommon occurrence during normal business operations.
Temporary File Replacement and Temporary Task Modification
The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration. They routinely removed their tools, including removing backdoors once legitimate remote access was achieved.
Detection Opportunity: Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time. Additionally, defenders can monitor existing scheduled tasks for temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be monitored to watch for legitimate Windows tasks executing new or unknown binaries.
This campaign’s post compromise activity was conducted with a high regard for operational security, in many cases leveraging dedicated infrastructure per intrusion. This is some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust. However, it can be detected through persistent defense.
The Security On-Demand Security Operations Center is actively monitoring for indications of this activity. We have begun searching across our customer base for the indicators provided by Fireeye as well as applying the detection recommendations listed above. If we detect any indication of compromise, we will follow our critical event procedures to inform you. To aid in our detection, if you discover you are using an affected version of Solarwinds Orion, please contact the Security Operations Center at 888-722-6364 or contact your Client Service Manager.