SUNBURST: The SolarWinds Orion Vulnerability
Mike Smith authored this report. Terrance Schaefer contributed.
December 15, 2020 7:20 am ET
SolarWinds recently reported that several of their products were the target of a sophisticated cyberattack. This report was created to update you on this vulnerability and help you understand exactly what we are doing to monitor and protect you from it. If you are a SolarWinds customer or otherwise employ any of their devices, there is a chance that your network has been compromised. At Braintrace, we have a fully staffed team of security engineers who are working around the clock, searching for any indication that this attack has compromised you or your organization’s defenses.
A recent update released by SolarWinds for their Orion IT monitoring and management software contains malware attached, which will open a backdoor for the attackers to enter their target’s network. Using this method, they have already gained access to several private and public organizations, beginning as early as Spring of 2020, and is still running rampant on a global scale. The attack’s resulting damage includes potential data theft, escalation of privileges, and lateral movement inside an otherwise secure internal network. While this campaign’s group has yet to be revealed, it has been established that they are highly skilled and actively striving to cause major compromises to their victims’ operational security.
The malware, now dubbed SUNBURST, is difficult to detect but not altogether impossible. Several Indicators of Compromise (IOCs) have already been established that will help us know whether this attack has taken place on your network.
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.
The attack’s execution is simple: An update package provided by SolarWinds’ legitimate website for their SolarWinds Orion devices contains a trojan that will open up a backdoor for attackers to enter in through when the update is installed.
A worrying trend we witnessed this year was the increasing use of “double attacks” involving ransomware. While the name can be seen as something of a misnomer, the actual issue comes with groups such as those classified as Advanced Persistent Threats (APTs) increasing the capabilities of their ransomwares to allow for the exfiltration of data in addition to encrypting it. Usually, the parties in question will then threaten to keep the data encrypted and release that data via multiple avenues unless the ransom in question is paid. It is understandable that this can be seen as a double whammy for organizations who need to keep their data secure.
As stated previously, there are several IoCs that we can employ in our threat hunting to establish whether this attack has been perpetrated on your network. A handful of hashes and URLs associated with the trojan have been compiled that we can look for in our log activity history, as well as typical behavior from the network once the backdoor has been put into place, such as using the HTTP protocol to connect out to the internet or the regular 60-second interval we see the host communicating back to the Command and Control (C2) center.
There are still more indicators of compromise we plan to persistently investigate over the coming days to see whether the network/SolarWinds devices have been compromised. Here are several that FireEye has specifically suggested that we will be using to look for any sign of this attack on your network:
- Tracking login activity to see if one system is authenticating to several other systems is not normal behavior from a legitimate user.
- If an attacker has gained access to the network with compromised credentials, they typically try to move laterally using multiple different credentials and access even more systems.
- The credentials used for lateral movement are different from those used for remote access. Such different credentials from the same external/suspicious IP address
- Another strategy employed by the attacker is to replace legitimate files, tools, and utilities with their own once they have gained access to their target’s environment. Looking through logs of previous SMB sessions is a good idea to see if any deletion of valid files or new, malicious files has taken place.
- Querying internet-wide scan data sources for an organization’s hostnames will help us uncover unsafe IP addresses that might be trying to pretend to be the actual organization.
- The attacker’s choice of IP addresses is also optimized to avoid detection. The attacker primarily uses only IP addresses originating from the same country as the victim, taking advantage of Virtual Private Servers, so domestic IP addresses must also be treated as potential sources of malicious behavior.
We at Braintrace have our security engineers conducting regular threat hunts at all times of the day specifically tailored to find any indication that this attack has taken place in our customers’ networks. We have powerful network monitoring tools, including our proprietary Dragonfly software, at our disposal, all of which will be used expediently and to their fullest potential to search for any IoCs associated with the attack.
The indicators of compromise on this issue are still being fleshed out, and we will continue to monitor the situation as more becomes known and available. Here are some that we know to be effective and which we will use in our threat hunting efforts:
|SHA256||File Version||Date First Seen|
The following arefew reputable sources that will provide further information.
- FireEye – https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Active Counter Measures – https://www.activecountermeasures.com/detecting-sunburst-aka-the-solarwinds-compromise-with-rita-and-ai-hunter/
- Microsoft – https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/