One of the biggest network management systems (NMS) in the USA, SolarWinds, announced on 14 December that it was breached in a ‘highly sophisticated’ supply chain attack. SolarWinds’ Orion platform, used to monitor network devices and critical servers, had its update server compromised to push Trojanised DLL files dubbed SUNBURST or Solorigate.
These malicious DLLs were reportedly pushed to over 18,000 SolarWinds customers. The affected organisations include 425 of the US Fortune 500 companies; the ten largest US telecommunications companies; all five branches of the US military; multiple federal agencies, Intel, Cisco, and Microsoft, as well as many other critical and strategic targets worldwide for an adversarial intelligence-gathering operation.
Initial access
The investigation into how the APT group initially infiltrated SolarWinds’ supply chain is ongoing. It is suspected that SolarWinds’ build environment was compromised, which led to the malware being placed on the update server. In its report to the Securities Exchange Commission (SEC), SolarWinds stated that it uncovered an unspecified attack vector in Microsoft Office 365 that was used to compromise its emails and “may have provided access to other data contained in the Company’s office productivity tools.”
Interestingly, Group-IB researchers found that a notorious access broker, known as @Fxmsp, had been selling a foothold to solarwinds.com and dameware.com (remote control software from SolarWinds) in mid-October 2017. Intel471 also noted that in April 2020 a Russian threat actor, allegedly partnered with REvil ransomware, claimed to have access to the SolarWinds network. (1, 2)
One other opportunity for the attackers to infiltrate was highlighted by bug hunter Vinoth Kumar, who reported exposed FTP credentials on GitHub belonging to the SolarWinds downloads subdomain. The GitHub repository had been open since 17 June 2018 – plenty of time for an adversary to discover it. (1, 2)
Action on objectives
CISA issued an emergency directive regarding the active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March and June 2020. The directive recommended that all SolarWinds customers review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
Once the Trojanised update is downloaded, a second stage memory-only payload, dubbed TEARDROP, was then deployed against targets of interest. This enabled the attackers to extract and execute a Cobalt Strike Beacon for environment reconnaissance, credential dumping, and other post-exploitation activities. (1, 2)
FireEye was the first to disclose that its Red Team tools had been stolen by the APT group it calls UNC2452. This campaign, however, lasted for many months and was orchestrated by a highly skilled threat group, which conducted the attack with significant operational security. MSTIC disclosed further TTPs leveraged by UNC2452 – some of which had never been witnessed in the wild before – such as the theft of an organisations SAML token-signing certificate. This allowed the attackers to add their own credentials to existing applications, subsequently enabling them to call APIs with the correct permissions. The extent of the compromise is unprecedented and still under investigation – it likely will be for many months or even years. (1, 2, 3)
Detection evasion
The APT cyber operators behind this campaign executed it with such skill that it compromised thousands of key organisations and went undetected for months. The SUNBURST malware is a SolarWinds digitally signed component of the Orion software framework which contains a backdoor that communicates to attacker-controlled servers. The backdoor shared the same naming conventions as Orion’s code to ensure SolarWinds’ developers would mistake it for their own. UNC2452 had also developed variables and objects that followed the expected camelCase formatting. Once installed, the malware ‘slept’ for between 288 and 336 hours (12-14 days) before it called back via DNS to the group’s C&C domain (avsvmcloud[.]com). The malware’s network traffic also masquerades as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration XML files – allowing it to blend in with legitimate SolarWinds activity.
Attribution
The FBI, CISA, and ODNI have disclosed that networks at multiple federal government agencies have been compromised. The US has since formed the Cyber Unified Coordination Group (UGC) – the first of its kind – to assist in the intra-governmental response to this significant cyber incident and to identify and pursue the threat actors responsible.
According to various anonymous Washington Post sources, this attack was allegedly orchestrated by the Russian foreign intelligence agency (also known as the SVR, APT29 or CozyBear). Veloxity stated that it had responded to a number of incidents in 2019 and 2020 that it believes are linked to UNC2452 (which it calls @DarkHalo). The intrusions targeted a US-based think tank, and multiple tools, backdoors, and malware implants were found that had allowed the attacker to remain undetected for several years. (1, 2)
A secondary cluster of activity related to this campaign was recently discovered. A webshell was found that also imitates SolarWinds’ Orion product: dubbed SUPERNOVA, it is a DLL that masquerades as the web service that fetches the logo for the Orion application. It was designed to provide the attackers persistent and covert access to systems that download the malicious update. Kaspersky analysts noted that both SUNBURST and SUPERNOVA were signed with SolarWinds SSL certificates within 25 minutes of each other, suggesting these were sub-teams of the same group. (1, 2, 3, 4)
A limited amount of evidence is currently available about the SolarWinds incursion, and the use of techniques that are unfamiliar to most researchers has prevented the attribution of this campaign conclusively to the Russian SVR. However, the choice of targets, breadth of the attack, and TTPs are similar to Russia’s many previous intelligence-gathering campaigns. While the identity of UNC2452 remains unclear, their extensive knowledge of Office365, Azure, Exchange, and PowerShell is in evidence across this attack. (1, 2, 3, 4)
Cyjax Insights
One thing is clear, the SolarWinds attack is one of the largest espionage operations ever seen. The company is an attractive target for a state-sponsored adversary due to the breadth of its access to systems on its customers’ networks. It has already demonstrated that no matter the size of the organisation, or the amount it spends on defence, there is almost always a way to compromise a target.
There is also the implication that further supply chain attacks could have been launched as a result of this breach. Microsoft has also confirmed it was compromised but has publicly denied its software was used to infect customers. However, other software and hardware developers such as Intel, NVidia, Belkin, and Cisco, among others were all also SolarWinds customers that appeared on the DGA (Domain Generation Algorithm) of the SUNBURST backdoor. Prevasio Security also shared an extended list of decoded DGA subdomains. (1, 2)
CISA has urged SolarWinds customers to treat all hosts monitored by the Orion platform as compromised by the threat actors and to assume further persistence mechanisms have been deployed. All hosts should be rebuilt and all credentials used by or stored in SolarWinds software can be considered compromised and should be reset. Further, on 19 December, CISA disclosed evidence that there are “initial access vectors other than the SolarWinds Orion platform.” This follows the detection of additional malicious activity using forged SAML tokens, consistent with UNC2452 exploits. US authorities are working to understand this threat and identify any changes to the group’s TTPs. (source)
An estimated timeline of the SolarWinds attack has been provided courtesy of researchers at DomainTools here.
The SolarWinds Orion products affected in this supply chain compromise are as follows:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Our detailed report containing IOCs, TTPs, and updates is available to Cyjax clients.