backdoor

Attackers used the SolarWinds supply chain to exploit the SUNBURST backdoor against multiple victims worldwide

SolarWinds today announced that its product was apparently used to breach multiple high profile organizations .  One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach the network.

SolarWinds was apparently compromised early in 2020. The attackers used the access to the SolarWinds network to add a to a key library that is part of SolarWinds. This modified library was delivered to selected SolarWinds customers via the normal SolarWinds update process. 

According to SolarWinds’ statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things.

Currently, the following names are used for the attack:

  • Microsoft labeled the attack “Solarigate” in Windows Defender.
  • FireEye refers to the as SUNBURST. The campaign is tracked as UNC2452.

What you should do at this point:

  1. Verify if you are running SolarWinds Orion and if so, assert which networks are managed by it (likely all or most of your network)
  2. Get in touch with SolarWinds ASAP to learn how to detect a compromise. See the IOCs FireEye published [7]. Not all SolarWinds customers are affected, and different customers received different versions of the backdoor. The simplest/quickest check is to search for lookups for hosts in the avsvmcloud.com domain.
  3. Carefully monitor your SolarWinds Orion installs for unusual behavior.
  4. As of Sunday morning, Microsoft Defender will detect related malware as “Solarigate” [5]. Other endpoint protection suites will likely detect the as well.

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier’s diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

The is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by “Solarwinds Worldwide, LLC”. The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)

IOCs from Microsoft’s report:

  • several malicious DLLs where identified
    • Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
      Sha1: 76640508b1e7759e548771a5359eaed353bf1eec
      File Size: 1011032 bytes
      File Version: 2019.4.5200.9083
      Date first seen: March 2020
    • Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
      Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
      File Size: 1028072 bytes
      File Version: 2020.2.100.12219
      Date first seen: March 2020
    • Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
      Sha1: e257236206e99f5a5c62035c9c59c57206728b28
      File Size: 1026024 bytes
      File Version: 2020.2.100.11831
      Date first seen: March 2020
    • Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
      Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
      File Size: 1026024 bytes
      File Version: not available
      Date first seen: March 2020
    • Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
      Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
      File Size: 1029096 bytes
      File Version: 2020.4.100.478
      Date first seen: April 2020
    • Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
      Sha1: 2f1a5a7411d015d01aaee4535835400191645023
      File Size: 1028072 bytes
      File Version: 2020.2.5200.12394
      Date first seen: April 2020
    • Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
      Sha1: d130bd75645c2433f88ac03e73395fba172ef676
      File Size: 1028072 bytes
      File Version: 2020.2.5300.12432
      Date first seen: May 2020
  • the malicious DLLs connect to infrastructure using the avsvmcloud.com domain. 
  • Decrypted hash list: Sunburst Hash List