On December 13, 2020, the American cyber security company FireEye released an analysis report that that the release environment of the Orion infrastructure management platform under SolarWinds was invaded by a hacker organization, and the hacker had compromised the file SolarWinds.Orion.Core.BusinessLayer.dll The source code is tampered with and the backdoor code is added. The file has a legal digital signature and will be issued with the software update.
The backdoor code disguised as Orion OIP protocol traffic to communicate, and merged its malicious behavior into the legal behavior of SolarWinds. FireEye said it has detected attacks in many regions around the world, including some governments, consulting, and technology companies in North America, Europe, Asia and the Middle East. SolarWinds has issued a security bulletin on its official website , announcing the affected version as 2019.4 HF 5-2020.2.1, and prompting users to upgrade to 2020.2.1 HF 1.
SolarWinds was founded in 1999 and is headquartered in Austin, Texas, USA. It has sales and product development offices in many countries. It mainly produces software products for sales network and system monitoring and management, and serves 300,000 customers worldwide. , Covering a large number of important institutions such as government, military, education and more than 90% of the world’s top 500 companies. The list of well-known customers includes: 425 of the Fortune 500 companies; the top ten telecommunications companies in the United States; all five branches of the US military ; Pentagon, US State Department, NASA, NSA, US Postal Service, NOAA, US Department of Justice and Office of the President; the top five accountants in the US; hundreds of universities worldwide, etc.
2. Incident analysis
2.1 Attack process
After the attacker invaded SolarWinds, he replaced the Orion software installation package provided by its official website with a version implanted in the backdoor, thus realizing a prefabricated attack on the supply chain. The SolarWinds.Orion.Core.BusinessLayer.dll component was tampered with by an attacker and added a class function named “SolarWinds.Orion.Core.BusinessLayer” that contains malicious code. The names of the related functions are disguised by social workers and are difficult to identify with the naked eye.
The tampered SolarWinds.Orion.Core.BusinessLayer.dll component has a legal digital signature of “Solarwinds Worldwide, LLC”, which means that the insertion point of the malicious code is before the file digital signature link. It may be in the source code development stage environment and compilation. Environment and binary release link to be signed. 12 to 14 days after entering the system, when it is loaded by the SolarWind.BusinessLayerHost.exe or SolarWindws.BusinessLayerHostx64.exe module of the Orion platform, the subsequent malicious code will be executed.
The final installation of the machine is the SUNBURST backdoor written by the attacker. The backdoor sends out DNS requests based on the domain name avsvmcloud.com according to the subdomain generation algorithm (DGA). The C2 communication uses the HTTP protocol and pretends to be the Orion software’s daily improvement plan traffic (Orion Improvement Plan). Program, OIP), and finally read and execute steganographic commands and payloads from the XML data responded by C2. The basic capabilities of the backdoor are as follows:
Table 2-1 Command functions of the SUNBURST backdoor:
|Exit||Exit the current thread|
|SetTime||Set delay time|
|CollectSystemDescription||Information collection system, including a host name, user name, OS version, the MAC address, the IP address, the DHCP configuration and domain like .|
|UploadSystemDescription||Send the collected system information.|
|RunTask||Run programs and create processes.|
|GetProcessByDescription||Get process information, only return PID and process name without parameters .|
|KillTask||Terminate the process of the specified PID .|
|GetFileSystemEntries||Obtain system files and directories.|
|WriteFile||Write the Base 64 encoded data delivered by decoding to the specified file.|
|FileExists||Test whether the specified file already exists.|
|DeleteFile||Delete the specified file.|
|GetFileHash||Get the MD 5 value of the specified file .|
|ReadRegistryValue||Read the specified registry location.|
|SetRegistryValue||Write to the specified registry location.|
|DeleteRegistryValue||Delete the specified registry location.|
|GetRegistrySubKeyAndValueNames||Get the subkeys and values under the specified registry path.|
|Reboot||Restart the system|
According to the report released by FireEye, after obtaining the bridgehead through the implanted malicious code, the attacker will move laterally in the occupied network and access more machines to obtain SAML ( Security Assertion Markup Language ) tokens to steal Azure AD files and establish Operations such as persistence, or implant the Cobalt Strike Trojan in the memory through the TEARDROP component.
2.2 Analysis of the threat framework perspective of related samples
The incident involved multiple attack scenarios, such as how the attacker realized the penetration of SolarWinds, and how to use the supply chain implantation to invade other targets. Due to the lack of more direct on-site information, we only evaluate the malicious code implanted in the supply chain from the perspective of the threat framework.
The reason for adopting the threat framework perspective is that network management software is different from ordinary application software. Once it is implanted in the backdoor, it can bring serious consequences. Since the network management software itself has remote management and monitoring functions, and has been configured with management-level access credentials, once it is controlled by an attacker, it becomes a super RAT. Therefore, the activity of the attacker will be regarded as a compliant action, and it is difficult to monitor its access to the managed target.
The “management action” issued by it is also a behavior that occurs under normal circumstances. Attackers do not need to gain control through penetration, and do not need to consume vulnerabilities, use tools, and launch to achieve persistence. We draw a threat load capability map based on relevant samples of malicious code. Among them, the ones covered in red are the attack tactics that the malicious code itself can complete, and the ones with the dotted lines are the attack tactics that can be extended by using the network management software as a RAT.
At the same time, it should be noted that because the relevant malicious code itself can achieve fine-grained remote control operations (such as writing files, modifying and adding registry keys, etc.), through related operations, it can already support a very rich attack tactical action, so The relevant calibration is not comprehensive. This picture is mainly used to show the harm caused by prefabricating malicious code on the network management software based on the supply chain, and then using the network management software as a RAT in the intrusion scenario.
2.3 Impact and harm
SolarWinds issued an official security bulletin , stating that the affected Orion software is between 2019.4 HF5 released between March 2020 and June 2020 to 2020.2.1 version, and it is recommended that customers should upgrade to 2020.2.1 HF1 version as soon as possible To ensure safety, the Orion Platform’s Internet access should be restricted through the firewall and only necessary ports should be reserved if the upgrade cannot be done in time. SolarWinds will release the 2020.2.1 HF2 version that will completely replace vulnerable components and have security hardening functions on December 15, 2020 (Tuesday).
According to the analysis of the global detection of victims and the audience of SolarWinds announced by FireEye, Chinese users should not be the target of this incident. However, due to the particularity of SolarWinds’ target customers, (its target customers are mainly network administrators or operators ) , once these users are attacked, attackers can bring a larger range of network attacks and deep impact through them.
2.4 Event related analysis and guess
FireEye previously issued announcements and blog articles, explaining that it had been invaded and led to the theft of red team tools. Antiy CERT conducted a follow-up analysis on this, and successively released the “FireEye Red Team Tools Stolen Incident Analysis” And Thinking”, “FireEye Red Team Tool theft incident follow-up analysis” . Antiy CERT researched and judged that FireEye’s intrusion incident and FireEye’s release of SolarWinds supply chain attack incidents may be related. First of all, FireEye suffered intrusion and theft, which affected the trust and goodwill of its customers, followed up and released major incidents to prove it Advanced threat discovery and analysis capabilities, impact hedging and reducing negative impacts are a reasonable choice.
The version with the backdoor can still be downloaded from the SolarWinds official website some time after the report is released. From this point of view, the report was released in a rush, and it did not form an effective disposal linkage before release. But we do not tend to think that this is a FireEye reserve report, but think that there may be a possibility, namely
FireEye is also a user of SolarWinds Orion software, allowing the attacker to find the entrance to the attack. FireEye discovered the tampered network management software and related attack activities in the process of tracing back the reason for its intrusion.
Of course, the above can only be regarded as a reasonable guess.