This blog post will be updated as new information becomes available. Last updated 2021-01-29.
On 2020-12-13, FireEye published an update about their recent Red Team tools compromise, linking the attack vector to a larger software supply chain compromise of the Orion network monitoring product from SolarWinds. The initial intrusion into SolarWinds is not described, but after the threat actor gained access to their production systems they successfully trojanised SolarWinds Orion’s software updates to distribute malware consisting of backdoor code embedded in a legitimate SolarWinds software library. FireEye has named this malware SUNBURST. Microsoft has named it Solorigate.
On 2021-01-11 SolarWinds released a statement where they describe new findings from their investigation, giving an updated overview of the timeline of the attack. Their forensics team has found evidence of the threat actor gaining access to their systems in September 2019. Threat actor code was injected in their Orion product software release in October 2019 for what appears to be testing purposes, followed by the malicious backdoor code injection now known as SUNBURST in the following releases starting 2020-02-20. The threat actor remained undetected, but seems to have stopped injecting the malicious code to SolarWinds Orion software updates in June 2020. SolarWinds did not detect the breach until they were notified on 2020-12-12. (Updated 2021-01-12)
Threat Intelligence Assessment
This is a global threat to all SolarWinds Orion platform customers, not only the media described intrusions at FireEye and several US government organisations. SolarWinds has confirmed that as many as 18.000 customers may have downloaded and installed the malicious software updates.
The US CISA issued an emergency directive on 2020-12-13 instructing all US government agencies to disconnect all affected SolarWinds Orion products from the network, citing that the active exploitation carries an unacceptable risk that requires emergency action. CISA has also reported that they have evidence of the threat actor using additional access vectors, other than the SolarWinds Orion platform. In an updated version of CISA's advisory they claims to have evidence that the actor are abusing SAML tokens in other incidents where SolarWinds was not the initial access vector. Microsoft has further described the anomalies they observed from an Identity perspective, which includes SAML- and API-observations and how the patterns can be detected.
The threat actor operates with high operational security, obfuscating the command and control mechanisms and making use of anti-forensics techniques. Our assessment is that the stealthy and highly sophisticated nature of this breach suggests this is the work of a nation-state threat actor. This assessment is backed by available threat intelligence from our partners. FireEye did not attribute the threat actor, but described it as an unknown threat actor they track as UNC2452. Volexity tracks this threat actor under the name Dark Halo.
In a joint statement by US cyber security and intelligence agencies FBI, CISA, ODNI and NSA, the threat actor is attributed to be an advanced persistent threat actor of Russian origin, and the cyber intrusion campaign is assessed to be part of an ongoing intelligence gathering effort. (Updated 2021-01-06)
Kaspersky has published a report where they describe technical similarities between the SUNBURST malware and a previously identified .NET backdoor malware known as Kazuar. Kazuar was first reported by Palo Alto in 2017, where it was linked to the Turla threat actor group (also known as Uroburos and Snake). (Updated 2021-01-12)
FireEye has published a white paper where they describe how the threat actor has been using their initial access through SolarWinds (and other intrusion vectors such as password spraying) to move laterally from on-premise networks to gain unauthorised access to the victim's Microsoft 365 environment.
For lateral movement and persistence the following techniques have been described:
- "Golden SAML" attack where the threat actor gains access to an on-premise Active Directory Federation Services server, steals a token-signing certificate and uses this to forge tokens for arbitrary users. This will allow the threat actor to bypass normal authentication methods using passwords and multi-factor authentication.
- Modification or addition of "Trusted Domains" in Microsoft Azure Active Directory. This allows the threat actor to establish an Azure Active Directory backdoor.
- Compromise of user accounts with Azure Active Directory privileged roles by credential theft. This can be used as fallback access for persistence.
- Hijacking existing Azure Active Directory Applications by modifying or adding credentials via the browser or PowerShell. This access can be used to read emails, access user calendars, etc.
Additional information about the threat actor was discussed by FireEye in this webcast. The techniques described show that the threat actor is extremely stealthy. The threat actor has detailed knowledge about corporate systems and leverages their understanding of how SOC employees might detect and investigate malicious activity. The threat actor is using costly dedicated infrastructure and a large number of personnel, possibly spread over multiple teams in a long running campaign. The exfiltrated information is of interest to a state-sponsored threat actor, and has little monetary value (no financial data or PII data). No disruptive activity has been discovered. This points to a state-sponsored threat actor carrying out a very targeted campaign with espionage as their main motivation. (Updated 2021-01-29)
In addition to the SUNBURST malware, another malware is discovered in the SolarWinds platform known as SUPERNOVA. This malware seems to be related to another threat actor than UNC2452/Dark Halo according to Microsoft and FireEye.
This malware serves a webshell in the SolarWinds HTTP API which receives C# script from web request and compile and execute it on the fly. It is not digitally signed and is found in the dll named App_Web_logoimagehandler.ashx.b6031896.dll (md5: 56ceb6d0011d87b6e4d7023d7ef85676). Further technical details can be found here. (Updated 2020-12-23)
Crowdstrike has been assisting SolarWinds in their investigation, and has published an analysis of a malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion product. They have named this malware SUNSPOT. SUNSPOT monitors and hijacks processes involved in the compilation of code and replaces one of the source files with a malicious source file containing the SUNBURST backdoor. Several safeguards were added to ensure that software builds did not fail, making it less likely that SolarWinds developers detected the injected code in the software update packages. (Updated 2021-01-12)
TEARDROP and RAINDROP
The threat actor carried out a highly targeted campaign where only a select few of the victims, that installed the backdoor code via SolarWinds software, were further infected by a second stage malware in the form of Cobalt Strike implants. The second stage malware was installed via a loader, named TEARDROP by FireEye, and a variant named RAINDROP by Symantec. Microsoft gives a detailed description in this blog post of how the threat actor activated the SUNBURST backdoor for installing the second stage malware in a very stealthy operation using hands-on keyboard activity, scripts and malware loaders customised per victim. (Updated 2021-01-29)
According to SolarWinds, the following products are affected:
|Orion Platform Version||Release Date||Release Notes||Known to be Affected?|
|Orion Platform 2020.2.1 HF 2||15 Dec 2020||Link||NO|
|Orion Platform 2020.2.1 HF 1||29 Oct 2020||Link||NO|
|Orion Platform 2020.2.1||25 Aug 2020||Link||NO|
|Orion Platform 2020.2 HF 1||24 Jun 2020||Link||YES|
|Orion Platform 2020.2||04 Jun 2020||Link||YES|
|Orion Platform 2019.4 HF 6||14 Dec 2020||Link||NO|
|Orion Platform 2019.4 HF 5||26 Mar 2020||Link||YES|
|Orion Platform 2019.4 HF 4||05 Feb 2020||Link||NO|
|Orion Platform 2019.4 HF 3||09 Jan 2020||Link||NO|
|Orion Platform 2019.4 HF 2||18 Dec 2019||Link||NO|
|Orion Platform 2019.4 HF 1||25 Nov 2019||Link||NO|
|Orion Platform 2019.4||05 Nov 2019||Link||NO|
|Orion Platform 2019.2 HF 3||23 Sep 2019||Link||NO|
|Orion Platform 2019.2 HF 2||31 Jul 2019||Link||NO|
|Orion Platform 2019.2 HF 1||26 Jun 2019||Link||NO|
|Orion Platform 2019.2||06 Jun 2019||Link||NO|
|Orion Platform 2018.4||04 Dec 2018||Link||NO|
The list of trojanised SolarWinds.Orion.Core.BusinessLayer.dll versions can be found here. The list is not exhaustive and may be further expanded as the investigation continues. (Updated 2020-12-23)
As part of their incident response SolarWinds has decided to revoke the code-signing digital certificate that was affected by SUNBURST, effective from 2021-03-08. Re-installations of the updated versions of the SolarWinds Orion Platform will also install the new digital certificate. The revocation also affects other SolarWinds products, that were not affected by SUNBURST. The complete list of affected products and SolarWinds advisory on patching can be found here. (updated 2021-01-29)
mnemonic recommends that you do the following:
- Check if you are, or have been running any of the affected versions of SolarWinds Orion.
- Review historic DNS queries going back to early spring 2020 to see if there have been DNS queries to hostnames on the domain avsvmcloud[.]com.
- Check if you have installed the malicious DLL SolarWinds.Orion.Core.BusinessLayer.dll, this can be found by verifying the hash of the file or by running detection rules as described by FireEye.
If you are running the affected versions of SolarWinds, have installed the malicious update and see DNS queries to any sub-domain of avsvmcloud[.]com, you are running the trojanised software containing the backdoor. This does not however confirm that the threat actor has leveraged this backdoor for intrusion into your systems. In order to determine if your systems have been breached we recommend the following:
- Investigate if any of the DNS queries to avcvmcloud[.]com returned a CNAME record.
- Perform threat hunting activities in your network, look for signs of activity backwards in time linked to the available indicators of compromise (IOCs).
- Investigate SAML-patterns as outlined by Microsoft to look for possible 2nd step activities.
- Implement strong endpoint security and logging, and monitor the logs actively for the known IOCs and techniques.
If you find a CNAME record from avcvmcloud[.]com in your historic DNS queries, this is a strong indication that a second stage malware has been installed on your system, and you should consider your SolarWinds Orion server compromised and immediately start incident response activities.
It should be noted that the list of IOCs is not exhaustive. This means that even if you do not find concrete evidence of compromise you should not close down your threat hunting activities. We recommend that you take extra precautions according to your established procedures for handling a suspected server compromise, such as disconnecting the server, securing evidence and performing forensics investigations.
In your incident response activities and remediation plan you should assume that the threat actor has deployed further persistence mechanisms, such as adding credentials or spoofed authentication tokens for lateral movement and persistence. Additionally, you should treat all hosts monitored by the SolarWinds Orion monitoring software as possibly compromised.
Crowdstrike identified a related attempt of compromise through a reseller’s Microsoft Azure account, and has released a tool to detect and mitigate this threat. CISA has also released a free tool to detect possible compromised accounts in the Microsoft Azure environment. (Updated 2021-01-06)
CISA has published an alert describing how to detect post-compromise threat activity in Microsoft cloud environments. (Updated 2021-01-12)
FireEye has published a free tool called Mandiant Azure AD Investigator that can be used to detect threat actor activity. (Updated 2021-01-29)
Detection coverage for Argus customers
mnemonic is not running SolarWinds products in any of our customer products or internal systems.
mnemonic is carrying out threat hunting activities for our customers that may be running SolarWinds Orion, and we are alerting all customers where we find signs of activity related to SUNBURST IOCs. We are monitoring the situation and continuously reviewing and updating our detection mechanisms:
- YARA-signatures have been added to our centralised automated malware analysis services.
- We have deployed available NIDS signatures to our Argus Network Analysers.
- Signatures for detecting SUNBURST URL patterns have been deployed to Argus Log Analysers.
- Detection for indicators of SUNBURST have been deployed to the Argus Endpoint Responder service.
- Signature for detecting unusual child processes of solarwinds.businesslayerhost.exe has been deployed.
- Argus Continuous Vulnerability Monitoring (CVM) will detect SolarWinds Orion products, and has been able to alert our customers subscribing to this service about the vulnerability since 2020-12-14.
- Threat hunting activities have been - and are - being performed as the investigation continues. This includes both hypothesis- and indicator-based hunting using historical data.
Need to get in contact with mnemonic’s Incident Response Team? You can find our contact information here.
Do you want to be updated on mnemonic’s Threat Advisories? Sign up to our email list here.