Reading:
Sunburst/Solorigate SolarWinds Supply Chain Backdoor Attack

Sunburst/Solorigate SolarWinds Supply Chain Backdoor Attack

by rootsun
December 15, 2020

What you need to know

Nation-state threat actors breached the supply chain of SolarWinds in order to infiltrate its customers including U.S. government agencies and Fortune 500 companies.

On December 13, 2020, the security vendor FireEye provided details on a supply chain attack campaign involving a trojanized software update of the SolarWinds Orion platform, which is used by organizations to monitor and manage IT infrastructure. FireEye named the campaign as UNC2452 and has further named the backdoor as SUNBURST (Microsoft has labeled it SOLORIGATE). SolarWinds has also issued an advisory for this critical incident.

In this blog post, we’ll provide a simplified explanation of what happened.

What happened?

Threat actors – claimed to be linked to Russia’s Hacker Group APT 29 a.k.a “Cozy Bear” – breached the U.S. Treasury and Commerce departments, along with other government agencies, as part of a global espionage campaign that stretches back to March 2020. The actors behind this campaign gained access to numerous public and private organizations around the world via trojanized updates to SolarWinds Orion IT monitoring and management software. The U.S. National Security Council held an emergency meeting to discuss the situation.

How did it happen?

The organizations were breached through the update server of SolarWinds – which is one of the most ubiquitous network management systems (NMS). This is a supply chain attack trojanizing SolarWinds Orion software updates in order to distribute malware called SUNBURST (Microsoft labeled the attack as Solorigate). According to the Department of Homeland Security’s Emergency Directive, 21-01 [1], SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors.

When did it happen?

SolarWinds CEO says the vulnerability is related to “updates released between March and June 2020” and it involved a “highly-sophisticated, targeted and manual supply chain attack by a nation-state.” Of course, it’s early days however the initial signs suggested that the breach was long-running and significant. New IOCs could light up a world of new compromises in the following weeks or months.

Why is SolarWinds a good target?

Because they have access to most systems on the network including critical servers. Network Management Systems (NMS) use SNMP or an installed agent to learn the status of remote devices and in addition to this, they can manage and modify configurations, etc.

Is this serious?

Yes, it’s serious because Solarwinds’ products and services are used by more than 300,000 customers worldwide including the military, Fortune 500 companies, government agencies, and education institutions. The security vendor FireEye says in a blog post that they detected this malicious activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East. It’s highly possible that there are additional victims in other countries and verticals.

Am I affected?

If you’re a customer of SolarWinds and run the Orion software, there’s a significant security risk in your organization due to this compromise at SolarWinds. Running a compromised version of SolarWinds Orion may give the attackers full access to the device and the information stored on it. It also gives a foothold to collect credentials of privileged users and may serve as a jump-point in your network to attack other devices. If the malicious software is able to get a hold of SAML signing certificates, it may be able to make SAML tokens for even the highest privileged accounts in Azure Active Directory.

Is this attack related to a specific CVE?

Based on the information we have, currently, the answer is NO. This is a supply-chain attack where the attackers were able to manually inject malware into the SolarWinds installer using a flaw and without anyone noticing.

Any notes for customers of MSSPs?

It’s known that MSSP (Managed Security Service Providers) rely on SolarWinds’ products for remote access to servers, workstations, and network equipment however Orion is not often included in the MSSP toolset of SolarWinds. Still, it’s recommended to make sure your MSSP closely monitors the situation and takes the recommended mitigation actions as soon as possible.

What should I do at this point?

If you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1, CISA recommends disabling internet access for the Orion platform or having your Orion Platform installed behind firewalls, limiting the ports and connections to only what is necessary.

The upgrade is also available to Orion Platform version 2020.2.1 HF 1 to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal.

If you’ve sufficient resources and threat hunting/modeling knowledge, check log retention, and archive whatever you have. You can also consider monitoring and alerting on any attempted access.

Are there any available IOCs?

You can make a quick check for the following indicators:

  1. SolarWinds.Orion.Core.BusinessLayer.dll
  2. Possible locations

    • %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
    • %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\\SolarWinds.Orion.Core.BusinessLayer.dll
  3. Malicious hashes
    • Signer: “Solarwinds Worldwide LLC”
    • SignerHash: “47d92d49e6f7f296260da1af355f941eb25360c4”
  4. The existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
  5. Review the DNS logs for avsvmcloud[.]com5.
    For more IOCs visit FireEye’s Github Repository for SUNBURST countermeasures. [5]

More OSINT research with comments

  1. Analyst comments
    The affected software in question is SolarWinds Orion. They are pervasive throughout networks because a lot of their products run “agents” on servers and clients alike. Due to the many undetected factors (e.g. how did they get into a digitally-signed component of SolarWinds?), it is not yet known which versions are and are not malicious. Also, hacks of this type take exceptional tradecraft and time. If this is a supply chain attack using trusted relationships, it’s really hard to stop. On the other hand, the scope could be huge since this has been underway for many months. There’s no magic bullet to reverse all those compromises. It’s also worth pointing out that the attackers usually deletes the backdoor and establishes persistence after compromise.
  2. SolarWinds was notified of an exposed GitHub repository by a security researcher back in November 2019.
    Learn more
  3. Detection rate of SUNBURST backdoor on VirusTotal is 25/69 (as of December 14, 2020, 6.00 p.m. GMT).
    Learn more
  4. Quick Shodan search for internet-exposed SolarWinds Orion product.
    Learn more
  5. Solorigate IOCs based on Global Telemetry of Microsoft.
    Learn more
  6. SolarWinds SEC filings
    It notified 33,000 customers of its recent hack, but that only 18,000 used a trojanized version of its Orion platform.
    Learn more
  7. Analysis of compromised code package with screenshots
    Learn more

How can SOCRadar help?

To reduce the impact, SOCRadar’s customers can utilize Vulnerability Tracking and Threat Feeds/IOCs screens which can help you quickly take action when this kind of critical security incident happens. You can easily enter the product names within your asset inventory or keywords you’d like to monitor for vulnerability incidents and critical flaws. Then the platform will generate an email alert and deliver right into your inbox whenever there are new updates, tweets or news found across the surface, deep and dark web. IOCs associated with threat actors or APT groups can be also provided through SOCRadar API.

For protection against supply chain attacks, SOCRadar also continuously monitors code repositories like GitHub to make sure your intellectual property or important credentials are not exposed or forgotten publicly.


Get more information
[1] https://cyber.dhs.gov/ed/21-01
[2] https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
[3] https://www.solarwinds.com/securityadvisory
[4] https://isc.sans.edu/diary/rss/26884
[5] https://github.com/fireeye/sunburst_countermeasures