Many IT practitioners find themselves in crisis response mode today because of a significant cyberattack and data exfiltration incident associated with the SolarWinds Orion platform. Orion is a monitoring platform used for network, application, and server performance management in all sorts of IT environments. SolarWinds products are used by more than 300,000 customers around the world including 425 of the Fortune 500, all five of the U.S. military branches, and all ten of the major U.S. telecom providers. This widespread attack seems specifically targeted on exfiltrating data from U.S. Federal departments, with follow-on attacks being reported from the Department of Homeland Security, Department of the Treasury, and Department of Commerce.
The malware that was infiltrated into SolarWinds’ digital supply chain is called “SUNBURST” (The same malware was alternately designated “Solorigate” by Microsoft). Additional malware is distributed as a part of the attack, including packages known as TEARDROP and BEACON. Because these malware assets were infiltrated into and digitally signed by SolarWinds as a part of their update build process, there was no immediate indication to customers that the updates were anything but genuine.
According to a report released by FireEye, a respected security research firm “the campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.”
This attack is serious enough that the Cybersecurity & Infrastructure Security Agency (CISA), a part of the U.S. Department of Homeland Security issued an emergency directive to U.S. Federal agencies that says in part: “Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain.”
In Canada, the Communications Security Establishment’s Canadian Centre for Cyber Security have also published an alert on this attack.
The actors behind this attack gained access to numerous organizations around the world. They gained access to victims via malicious and undetected updates to SolarWind’s Orion IT monitoring and management software. This attack began as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included wide scale administrative access and data theft.
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that was modified to contain a backdoor that communicates via HTTP to third party servers. The initial payload delivered by SolarWinds has now been identified as SUNBURST/Solorigate.
After a randomized period of up to two weeks, it retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor could also identify forensic and anti-virus tools running as processes, services, and drivers.
After a dormant period, the malware will attempt to contact a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The command and control traffic to the malicious domains is designed to mimic normal SolarWinds API communications.
After gaining access, this attacker uses a variety of techniques to disguise their operations while they move throughout the victims’ network. This attacker prefers to maintain a low-profile footprint, instead preferring legitimate credentials and remote access for entrance into a victim’s environment.
Multiple SUNBURST/Solorigate samples have been analyzed by FireEye and seen to be delivering different payloads. In at least one instance the attackers deployed a previously unseen memory-only dropper dubbed TEARDROP to deploy Cobalt Strike BEACON.
TEARDROP is a memory only dropper that runs as a service. TEARDROP does not have code overlap with any previously seen malware. FireEye believes that this was used to execute a customized Cobalt Strike BEACON, a penetration toolkit that, if used legitimately, can be employed to validate network security.
The follow-on attacks on target infrastructure leveraged DNS tunneling to exfiltrate data from the protected systems to anonymous servers on the Internet. DNS was used both for command and control of the attack, and as the transport layer for exfiltrating the data. While this is not a new vector – many previous malware attacks have used DNS for either or both roles – the sophistication of the attackers in how they leveraged DNS is noteworthy.
These attacks typically use Domain Generating Algorithms or DGA’s to generate the hostname portion of the fully-qualified domain name. Typically, this will result in DNS queries for a long obfuscated random name like jhsdfhoperunsd934kafd.domain.com. These names are often generated either once when the malware is started, or sometimes periodically to improve hiding of data exfiltration. In this case, it appears that a randomly generated name is used for exactly one exfiltration query (e.g. one “packet” of data) and then discarded in an attempt to outfox DGA-hunting algorithms.
The domains known to be involved in this attack include:
- avsvmcloud[.]com (Ownership has been transferred to Microsoft as a result of the investigation.)
If you were affected by or are concerned about Solorigate and you are evaluating next steps, call Empowered Networks and we can help you assess and prioritize your options for network discovery, change and configuration management and IP Address Management.