Threat Advisory: SolarWinds Supply Chain Compromise

This blog post will be updated as new information becomes available. Last updated 2021-01-12.

 

Background

On 2020-12-13, FireEye published an update about their recent Red Team tools compromise, linking the attack vector to a larger software supply chain compromise of the Orion network monitoring product from SolarWinds. The initial intrusion into SolarWinds is not described, but after the threat actor gained access to their production systems they successfully trojanised SolarWinds Orion’s software updates to distribute malware consisting of backdoor code embedded in a legitimate SolarWinds software library. FireEye has named this malware SUNBURST. Microsoft has named it Solorigate.

On 2021-01-11 SolarWinds released a statement where they describe new findings from their investigation, giving an updated overview of the timeline of the attack. Their forensics team has found evidence of the threat actor gaining access to their systems in September 2019. Threat actor code was injected in their Orion product software release in October 2019 for what appears to be testing purposes, followed by the malicious backdoor code injection now known as SUNBURST in the following releases starting 2020-02-20. The threat actor remained undetected, but seems to have stopped injecting the malicious code to SolarWinds Orion software updates in June 2020. SolarWinds did not detect the breach until they were notified on 2020-12-12. (Updated 2021-01-12)

Threat Intelligence Assessment

This is a global threat to all SolarWinds Orion platform customers, not only the media described intrusions at FireEye and several US government organisations. SolarWinds has confirmed that as many as 18.000 customers may have downloaded and installed the malicious software updates.

The US CISA issued an emergency directive on 2020-12-13 instructing all US government agencies to disconnect all affected SolarWinds Orion products from the network, citing that the active exploitation carries an unacceptable risk that requires emergency action. CISA has also reported that they have evidence of the threat actor using additional access vectors, other than the SolarWinds Orion platform. In an updated version of CISA's advisory they claims to have evidence that the actor are abusing SAML tokens in other incidents where SolarWinds was not the initial access vector. Microsoft has further described the anomalies they observed from an Identity perspective, which includes SAML- and API-observations and how the patterns can be detected.
(Updated 2020-12-23)

The threat actor operates with high operational security, obfuscating the command and control mechanisms and making use of anti-forensics techniques. Our assessment is that the stealthy and highly sophisticated nature of this breach suggests this is the work of a nation-state threat actor. This assessment is backed by available threat intelligence from our partners. FireEye did not attribute the threat actor, but described it as an unknown threat actor they track as UNC2452. Volexity tracks this threat actor under the name Dark Halo.

In a joint statement by US cyber security and intelligence agencies FBI, CISA, ODNI and NSA, the threat actor is attributed to be an advanced persistent threat actor of Russian origin, and the cyber intrusion campaign is assessed to be part of an ongoing intelligence gathering effort. (Updated 2021-01-06)

Kaspersky has published a report where they describe technical similarities between the SUNBURST malware and a previously identified .NET backdoor malware known as Kazuar. Kazuar was first reported by Palo Alto in 2017, where it was linked to the Turla threat actor group (also known as Uroburos and Snake). (Updated 2021-01-12)

SUPERNOVA

In addition to the SUNBURST malware, another malware is discovered in the SolarWinds platform known as SUPERNOVA. This malware seems to be related to another threat actor than UNC2452/Dark Halo according to Microsoft and FireEye.

This malware serves a webshell in the SolarWinds HTTP API which receives C# script from web request and compile and execute it on the fly. It is not digitally signed and is found in the dll named App_Web_logoimagehandler.ashx.b6031896.dll (md5: 56ceb6d0011d87b6e4d7023d7ef85676). Further technical details can be found here. (Updated 2020-12-23)

SUNSPOT

Crowdstrike has been assisting SolarWinds in their investigation, and has published an analysis of a malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion product. They have named this malware SUNSPOT. SUNSPOT monitors and hijacks processes involved in the compilation of code and replaces one of the source files with a malicious source file containing the SUNBURST backdoor. Several safeguards were added to ensure that software builds did not fail, making it less likely that SolarWinds developers detected the injected code in the software update packages. (Updated 2021-01-12)

Affected Systems

According to SolarWinds, the following products are affected:

Orion Platform Version Release Date Release Notes Known to be Affected?
Orion Platform 2020.2.1 HF 2 15 Dec 2020 Link NO
Orion Platform 2020.2.1 HF 1 29 Oct 2020 Link NO
Orion Platform 2020.2.1 25 Aug 2020 Link NO
Orion Platform 2020.2 HF 1 24 Jun 2020 Link YES
Orion Platform 2020.2 04 Jun 2020 Link YES
Orion Platform 2019.4 HF 6 14 Dec 2020 Link NO
Orion Platform 2019.4 HF 5 26 Mar 2020 Link YES
Orion Platform 2019.4 HF 4 05 Feb 2020 Link NO
Orion Platform 2019.4 HF 3 09 Jan 2020 Link NO
Orion Platform 2019.4 HF 2 18 Dec 2019 Link NO
Orion Platform 2019.4 HF 1 25 Nov 2019 Link NO
Orion Platform 2019.4 05 Nov 2019 Link NO
Orion Platform 2019.2 HF 3 23 Sep 2019 Link NO
Orion Platform 2019.2 HF 2 31 Jul 2019 Link NO
Orion Platform 2019.2 HF 1 26 Jun 2019 Link NO
Orion Platform 2019.2 06 Jun 2019 Link NO
Orion Platform 2018.4 04 Dec 2018 Link NO

 

The list of trojanised SolarWinds.Orion.Core.BusinessLayer.dll versions can be found here. The list is not exhaustive and may be further expanded as the investigation continues. (Updated 2020-12-23)

Recommendations

mnemonic recommends that you do the following:

  • Check if you are, or have been running any of the affected versions of SolarWinds Orion.
  • Review historic DNS queries going back to early spring 2020 to see if there have been DNS queries to hostnames on the domain avsvmcloud[.]com.
  • Check if you have installed the malicious DLL SolarWinds.Orion.Core.BusinessLayer.dll, this can be found by verifying the hash of the file or by running detection rules as described by FireEye.

If you are running the affected versions of SolarWinds, have installed the malicious update and see DNS queries to any sub-domain of avsvmcloud[.]com, you are running the trojanised software containing the backdoor. This does not however confirm that the threat actor has leveraged this backdoor for intrusion into your systems. In order to determine if your systems have been breached we recommend the following:

  • Investigate if any of the DNS queries to avcvmcloud[.]com returned a CNAME record.
  • Perform threat hunting activities in your network, look for signs of activity backwards in time linked to the available indicators of compromise (IOCs).
  • Investigate SAML-patterns as outlined by Microsoft to look for possible 2nd step activities.
  • Implement strong endpoint security and logging, and monitor the logs actively for the known IOCs and techniques.

If you find a CNAME record from avcvmcloud[.]com in your historic DNS queries, this is a strong indication that a second stage malware has been installed on your system, and you should consider your SolarWinds Orion server compromised and immediately start incident response activities.

It should be noted that the list of IOCs is not exhaustive. This means that even if you do not find concrete evidence of compromise you should not close down your threat hunting activities. We recommend that you take extra precautions according to your established procedures for handling a suspected server compromise, such as disconnecting the server, securing evidence and performing forensics investigations.

In your incident response activities and remediation plan you should assume that the threat actor has deployed further persistence mechanisms, such as adding credentials or spoofed authentication tokens for lateral movement and persistence. Additionally, you should treat all hosts monitored by the SolarWinds Orion monitoring software as possibly compromised.

Crowdstrike identified a related attempt of compromise through a reseller’s Microsoft Azure account, and has released a tool to detect and mitigate this threat. CISA has also released a free tool to detect possible compromised accounts in the Microsoft Azure environment. (Updated 2021-01-06)

CISA has published an alert describing how to detect post-compromise threat activity in Microsoft cloud environments. (Updated 2021-01-12)

Detection coverage for Argus customers

mnemonic is not running SolarWinds products in any of our customer products or internal systems.

mnemonic is carrying out threat hunting activities for our customers that may be running SolarWinds Orion, and we are alerting all customers where we find signs of activity related to SUNBURST IOCs. We are monitoring the situation and continuously reviewing and updating our detection mechanisms:

  • YARA-signatures have been added to our centralised automated malware analysis services.
  • We have deployed available NIDS signatures to our Argus Network Analysers.
  • Signatures for detecting SUNBURST URL patterns have been deployed to Argus Log Analysers.
  • Detection for indicators of SUNBURST have been deployed to the Argus Endpoint Responder service.
  • Signature for detecting unusual child processes of solarwinds.businesslayerhost.exe has been deployed.
  • Argus Continuous Vulnerability Monitoring (CVM) will detect SolarWinds Orion products, and has been able to alert our customers subscribing to this service about the vulnerability since 2020-12-14.
  • Threat hunting activities have been - and are - being performed as the investigation continues. This includes both hypothesis- and indicator-based hunting using historical data.

Additional References

 

Need to get in contact with mnemonic’s Incident Response Team? You can find our contact information here.

 

Do you want to be updated on mnemonic’s Threat Advisories? Sign up to our email list here.