Last week our industry exploded with a staggering amount of data on the Solarwinds Orion monitoring software which compromised with a backdoor between May and June of 2020. We’d like to provide a little background and some distilled information for our readers.
About SolarWinds and SunBurst
SolarWinds Orion Network Management Solution (NMS) has come under scrutiny as being the initial vector of attack for APT29/Cozy Bear, with specific compromises discovered in several US government agencies and one public sector cybersecurity company, FireEye. While much of the information is not yet clear about whether or not these were attacks against specific targets, it is possible to surmise that approximately 18,000 to 33,000 possible SolarWinds customers could be affected.
SunBurst is the name given to the backdoor inserted to the core functionality of the SolarWinds Orion NMS code management system. This probable compromise of the internal build or distribution system subsequently downloaded the backdoor to platform customers via automatic updates. SunBurst is a Command and Control (C2) method, allowing full control of the SolarWinds Orion platform and underlying operating system. This is of particular concern as often NMS installations have ties to monitor and configure a wide range of other technology components within an organization, including Windows Active Directory, credential management, network configuration, firewall management, and network intrusion detection. This could allow an attacker to modify any of these systems, cover their tracks, and evade detection across all of the platforms managed by the NMS.
The compromise of the SolarWinds infrastructure is leading to a very complex discovery and incident response process. As time goes on, more and more pieces of the puzzle unfold: the complexity of all of the affected enterprises, and to what extent they are affected. Some are estimating that it may be years before we understand the full extent of the compromise and have a full recovery. In addition to the recommendations, we should continue following the unfolding story, while tempering what we hear and read: We have already seen some incomplete information, as well as patently wrong or misleading declarations. See the Recommendation section for some reputable sources.
Some of the more recent discoveries include the decoding of the apparently random hostnames within DNS, indicating 346 unique hostnames for the identified C2 domain. With some analysis of the SunBurst malware code and the Domain Generation Algorithm (DGA), researchers were able to determine that the seemingly random data was indicative of system and domain names of affected organizations.
We are also hearing reports of secondary fallout from other companies being compromised outside of the US government, including various state and county government assets as well as those in private industry. At this time Microsoft and Cisco are commenting publicly.
Specifically, SolarWinds customers should perform the following steps:
- Verify whether or not your organization has implemented the Orion NMS platform, or any of the identified solutions from SolarWinds noted at their advisor
- Compare the SHA256/SHA1/MD5 hashes of SolarWinds.Orion.Core.BusinessLayer.dll to known ‘bad’ versions to determine compromise. If the versions present on one’s current implementation does not match known versions, consider uploading to various online analysis services. There is no current list of hashes for known ‘good’ versions. If known bad versions are discovered, the organization should implement its Incident Response plan immediately in order to assess risk and next steps.
- Investigate collected logs to determine if systems on the enterprise network have contacted domains known to be associated with SunBurst C2 servers. If affirmative, the organization should implement their Incident Response (IR) plan immediately in order to assess risk and next steps. Specifically, in this case, TrustedSec has compiled an IR playbook at https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/
- Determine when the last software update to SolarWinds Orion NMS was performed, and observe if it falls within the appropriate timeframe for updates based on organizational policy. While the lack of updates, in this case, could have prevented compromise, it is very much an outside case. Systems with critical/elevated access should be properly maintained, but now with more attempts at scrutiny at the updates and the vendor providing them.
Overall recommendations include the adoption of strict egress firewall rules to prevent the NMS from reaching out to any host on the internet. If internet access is required for product updates, internet access should only be available for the limited time of that upgrade action. Additionally increased monitoring should be enacted, with the FireEye YARA rules as a base, noting that subsequent attacks will evolve.
Non-SolarWinds Orion customers should consider implementing the overall recommendations for any other NMS that may be in use.
Additionally, it is recommended to follow along in new data on discoveries from reputable sources such as those noted below:
- Microsoft Security Blog: https://www.microsoft.com/security/blog/
- Krebs on Security, often breaking news on SunBurst (and others), with possible speculative information: https://krebsonsecurity.com/
- SolarWinds Security Advisory, updated when new information is discovered: https://www.solarwinds.com/securityadvisory
- Cybersecurity and Infrastructure Security Agency (CISA) Alerts: https://us-cert.cisa.gov/ncas/alerts
- Reuters Technology News: https://www.reuters.com/news/technology
- Kim Zetter: https://twitter.com/KimZetter
YARA rules to detect sunburst https://github.com/fireeye/sunburst_countermeasures
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Customer Guidance on Recent Nation-State Cyber Attacks https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Broad Cyber Espionage Campaign Follows Supply Chain Attack on SolarWinds https://duo.com/decipher/broad-cyber-espionage-campaign-follows-supply-chain-attack-on-solarwinds