Our DFIR team has been collecting data from the security community at large about the SolarWinds Orion and UNC2452 supply chain compromise, and we’re bringing it to you as a source of information and guidance. We at SBS CyberSecurity thank the cybersecurity community for uncovering the majority of the information in this threat advisory.
Note: SBS does not utilize any SolarWinds' products or services.
Who Can Be Affected?
Currently, any organization or persons deploying the SolarWinds Orion platform version 2019.4 HF 5 through 2020.2.1 released between March 2020 and June 2020 can be affected. SolarWinds Orion is an IT performance monitoring platform that manages and optimizes IT infrastructure, and Orion is one of SolarWinds' many product offerings. The malicious update was signed digitally by SolarWinds and has been publicly available since March 2020.
SolarWind boasts 300,000 clients globally, including 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all US Military branches, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. Fortunately, only about 18,000 of SolarWinds clients have been identified as using the compromised versions of Orion.
This type of attack is considered a supply chain attack, meaning that a product from a trusted vendor has been compromised, making this type of attack extremely dangerous and difficult to identify.
How Does This Attack Work?
The threat actor, dubbed UNC2452 by FireEye, leveraged a supply chain compromise to SolarWinds Orion versions 2019.4 HF 5 through 2020.2.1. UNC2452 hacked the digitally-signed code of SolarWinds’ Orion product and inserted their own malicious code. Affected SolarWinds Orion customers downloaded the code through the digitally signed channel and installed it as part of the Orion product.
Once installed, the code provided backdoor entry to the threat actor UNC2452, who then blended their activity with SolarWinds Orion activity to create an atmosphere of malicious activity nearly symmetrical to the normal behavior of the Orion software. This effort was to evade detection.
Once UNC2452 was on the affected systems, they conducted various post-exploitation activities to develop long-term access.
These activities included but were not limited to:
- Modifying and adding federation trusts in Azure AD to accept tokens signed with UNC2452 owned certificates
- Adding password credentials to OAuth Applications or Service Principals
- Allowed attackers to read mail content from Exchange Online services
- Added memory-only droppers to deploy Cobalt Strike BEACON
- As well as potentially other backdoors
What Can You Do?
Luckily, SolarWinds has devised courses of action to assist with answering this question. They suggest upgrading to Orion Platform version 2020.2.1 HF 1 immediately. SolarWinds ensures this latest version to be only their code. Be sure to check with your executive team and review your vendor policies to determine whether your organization is still allowed to trust SolarWinds products.
Unfortunately, taking these steps does not mean the story ends here. Updating Orion or disconnecting the product doesn’t fix the fact that your organization might have been compromised. The security community at large is suggesting the following actions, which SBS CyberSecurity also recommends:
- Check the FireEye GitHub repository for the latest Indicators of Compromise (IoC), which should be added to your detection software or SIEM. These IoCs are available in Snort, YARA, IOC, and ClamAV: https://github.com/fireeye/sunburst_countermeasures
- If you use an endpoint Host Intrusion Prevention Solution (HIPS), ensure that your provider can detect SUNBURST malware and scan all your cloud and local resources.
- Knowing your network and what your users are doing is extremely important. Check for account logins that are abnormal or impossible for your users. Abnormal activity can be easily identified per user by looking at the account login “from” IP address. If you have a lot of users, this will take a lot of time to perform manually without a tool using one of the rule sets listed above.
- According to FireEye, UNC2452 has been observed mimicking victim hostnames in their command-and-control infrastructure. Querying Internet scanning services such as Shodan for internal hostnames may reveal attacker infrastructure used against your organization.
- Another “knowing your network and users” option is checking for single systems connecting to multiple systems with multiple accounts. Logging into multiple systems and accounts simultaneously should never happen unless the single system performing these activities is an administrator and has a business reason to be logging into multiple systems with multiple accounts. If this scenario ever occurs in your environment, it should be very rare.
- Vendor management is a must. Check to see if your vendors are using SolarWinds Orion, and if so, what they have done to track the backdoor and discover a possible compromise.
- Microsoft has provided an article on hardening Active Directory against some of the behavior exhibited by this compromise. The article is here: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
UPDATE: Brian Krebs reports that Microsoft, FireEye, and GoDaddy have identified a killswitch that would prevent SUNBURST from continuing to operate. According to Krebs, FireEye said hacked networks were seen communicating with a malicious domain name — avsvmcloud[.]com — one of several domains the attackers had set up to control affected systems.
Microsoft has seized control over this domain with the help of GoDaddy, the current domain name registrar for the malicious site.
You might remember a similar situation back in 2017, when a security researcher registered a domain used by WannaCry to propagate EternalBlue, effectively stopping the massive ransomware attack.
While this killswitch may effectively end or cripple SUNBURST, if an attacker is in your network and additional backdoors have been created, your network may still be compromised.
If your organization uses SolarWinds Orion, please make sure you're monitoring your network for Indicators of Compromise and hunting for potential threats.
Full story from Brian Krebs here: https://krebsonsecurity.com/2020/12/malicious-domain-in-solarwinds-hack-turned-into-killswitch/
Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team.
Buzz Hillestad, GCFE
SVP - Information Security Consultant - SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.