Our DFIR team has continued to collect information from the security community at large about the SolarWinds Orion and UNC2452 supply chain compromise, and we’re bringing it to you as a source of information and guidance.
Note: SBS does not utilize any SolarWinds' products or services.
Who Can Be Affected?
Currently, any organization or persons deploying the SolarWinds Orion platform version 2019.4 HF 5 through 2020.2.1 released between March 2020 and June 2020 can be affected. SolarWinds Orion is an IT performance monitoring platform that manages and optimizes IT infrastructure, and Orion is one of SolarWinds' many product offerings. The malicious update was signed digitally by SolarWinds and has been publicly available since March 2020.
Office365 customers at the time Microsoft was breached due to this attack can be affected as well. Microsoft notified those customers immediately. Additionally, any of your organization's third-party vendors that were breached could affect your data.
How Does This Attack Work?
The threat actor, dubbed UNC2452 by FireEye, leveraged a supply chain compromise to SolarWinds Orion versions 2019.4 HF 5 through 2020.2.1. UNC2452 hacked the digitally-signed code of SolarWinds’ Orion product and inserted their own malicious code. Affected SolarWinds Orion customers downloaded the code through the digitally signed channel and installed it as part of the Orion product.
Once installed, the code provided backdoor entry to the threat actor UNC2452, who then blended their activity with SolarWinds Orion activity to create an atmosphere of malicious activity nearly symmetrical to the normal behavior of the Orion software. This effort was to evade detection.
Once UNC2452 was on the affected systems, they conducted various post-exploitation activities to develop long-term access.
These activities included but were not limited to:
- Modifying and adding federation trusts in Azure AD to accept tokens signed with UNC2452 owned certificates
- Adding password credentials to OAuth Applications or Service Principals
- Allowed attackers to read mail content from Exchange Online services
- Added memory-only droppers to deploy Cobalt Strike BEACON
- As well as potentially other backdoors
What Can You Do?
Luckily, SolarWinds has devised courses of action to assist with answering this question. They suggest upgrading to Orion Platform version 2020.2.1 HF 1 immediately. SolarWinds ensures this latest version to be only their code. Be sure to check with your executive team and review your vendor policies to determine whether your organization is still allowed to trust SolarWinds products.
- Check the version of the Orion platform you are currently running:
- Check which hotfixes you have applied.
- Suggested compensating controls in lieu of not being able to upgrade immediately.
- DHS has released guidance to any government agencies running compromised versions of SolarWinds Orion, including to forensically image any hosts running compromised versions of Orion, analyze network traffic for Indicators of Compromise, and disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
- Additionally, SBS recommends you reach out to YOUR critical vendors to determine if SolarWinds Orion is used by their organization. If so, what steps are your vendor(s) taking to mitigate risk and monitor their networks?
Unfortunately, taking these steps does not mean the story ends here. Updating Orion or disconnecting the product doesn’t fix the fact that your organization might have been compromised. The security community at large is suggesting the following actions, which SBS CyberSecurity also recommends:
- Check the FireEye GitHub repository for the latest Indicators of Compromise (IoC), which should be added to your detection software or SIEM. These IoCs are available in Snort, YARA, IOC, and ClamAV.
- On December 16, 2020, Brian Krebs reported that Microsoft, FireEye, and GoDaddy found a killswitch and implemented it by taking down the domain Sunburst used.
- If you use an endpoint Host Intrusion Prevention Solution (HIPS), ensure that your provider can detect SUNBURST malware and scan all your cloud and local resources.
- Knowing your network and what your users are doing is extremely important. Check for account logins that are abnormal or impossible for your users. Abnormal activity can be easily identified per user by looking at the account login “from” IP address. If you have a lot of users, this will take a lot of time to perform manually without a tool using one of the rule sets listed above.
- According to FireEye, UNC2452 has been observed mimicking victim hostnames in their command-and-control infrastructure. Querying internet scanning services such as Shodan for internal hostnames may reveal attacker infrastructure used against your organization.
- On February 3, 2021, Bruce Schnier reported:
“Earlier this month, the US government has stated the attack is ‘likely Russian in origin.’ This echos what then Secretary of State Mike Pompeo said in December, and the Washington Post‘s reporting (both from December). (The New York Times has repeated this attribution — a good article that also discusses the magnitude of the attack.) More evidence comes from code forensics, which links it to Turla, another Russian threat actor.”
- Another “knowing your network and users” option is checking for single systems connecting to multiple systems with multiple accounts. Logging into multiple systems and accounts simultaneously should never happen unless the single system performing these activities is an administrator and has a business reason to be logging into multiple systems with multiple accounts. If this scenario ever occurs in your environment, it should be very rare.
- Vendor management is a must. Check to see if your vendors are using SolarWinds Orion, and if so, what they have done to track the backdoor and discover a possible compromise.
- Microsoft has provided an article on hardening Active Directory against some of the behavior exhibited by this compromise.
- In this article on January 11, 2021, CrowdStrike reported that more strains of malware are coming from the SolarWinds attack. They reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network. Other related malware includes Teardrop aka Raindrop.
- Microsoft put out a notice on January 20, 2021 stating:
“We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.”
“One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection. This blog provides details about this handover based on a limited number of cases where this process occurred. To uncover these cases, we used the powerful, cross-domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in one complete and consolidated view.”
- Lastly, Joe Panettieri published a full security incident timeline of events through February 26, 2021.
If your organization uses SolarWinds Orion, please make sure you're monitoring your network for Indicators of Compromise and hunting for potential threats. For a primer on Indicators of Compromise, check out SBS’ blog post on IoCs.
Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team.
Buzz Hillestad, GCFE
SVP - Information Security Consultant - SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.