Important information about the SolarWinds Solorigate/Sunburst attack

UPDATE: 21/01/21

The tireless efforts of various security researchers has surfaced critical, new information in this case. We are finally witnessing the missing link in how the compromised DLL is able to load the Cobalt Strike implant, and the threat actor’s intent.

Once again, this new evidence has proven just how sophisticated adversaries are becoming, and the extreme lengths they are willing to go through to evade detection. Now, more than ever these types of attacks are showing how important it is to use XDR and SIEM products for protection and threat hunting.

The below list of articles represent the most comprehensive threat intelligence we have reviewed on this subject. It is strongly recommended these articles are reviewed and your organisation checked against the new mitigation and forensic steps.

UPDATE: 07/01/21

Over the holiday period, FireEye security published this post with additional technical details on the Sunburst attack. This analysis is verbose and shows additional defence evasion technique. This new information further proves the sophistication of this attack.

If you are using Azure Sentinel then new analytic rules are available to detect the post-breach behaviour. We recommend enabling these straightaway if you have not done so already.

Image credit: azureblog.ai

If you are not running Azure Sentinel then we advise that you download and run the recently released Sparrow PowerShell script created by CISA’s Cloud Forensics Team here.

This tool will help detect possible compromised accounts and applications in the Azure/Microsoft 365 environment.

ORIGINAL POST: 18/12/20

Transparity Security Analysts have been regularly reviewing the details regarding the Nation-State based attack against SolarWinds (known as either Sunburst or Solorigate). This attack is likely to affect your organisation in one way or another, so please take the time to review the information below.

Please note that Transparity do not use SolarWinds Orion; this post is for awareness only.

You may not be running SolarWinds Orion, so therefore will be currently unaffected. However, it is still recommended that you take the time to review the below information, as organisations you interact within your own supply chain may be using affected SolarWinds’ products. Please be diligent when opening emails and files that originated outside of your organisation.

For our customers utilising Transparity’s Datto RMM service, we are instigating an in-memory scan on all Windows-based devices to check for executables which show signs of infection. Customers will be contacted after the scan if there is any sign of infection.

Attack background

On 13th of December 2020, security firm FireEye discovered a supply chain breach in the SolarWinds Orion platform whilst investigating their own breach. This supply chain breach is one of the most sophisticated attacks ever executed. It has been performed by a Nation-State group of hackers, thought to originate from Russia. These attackers are highly motivated and agile. This attack needs to be taken very seriously. More details on the attack can be found below.

High-level attack details

  • This attack is known to affect SolarWinds Orion. However, it is possible that other SolarWinds products have been compromised, although this is unconfirmed at this time
  • The malware is distributed by a SolarWinds update to their Orion product. The affected build versions are per the below SolarWinds security advisory: https://www.solarwinds.com/securityadvisory
  • The following builds have been confirmed as affected by the Cybersecurity and Infrastructure Security Agency (CISA):
    • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
    • Orion Platform 2020.2 RC1, version 2020.2.100.12219
    • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
    • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
  • The compromised update creates a backdoor for the threat actor. The threat actor then has persistent access to the compromised system(s)
  • Due to the way in which Orion works and the privileges granted to the service accounts used by the product, it is very likely that this attack gives the threat actor “the keys to the kingdom”
  • This attack is sophisticated and the malicious code is designed to evade detection, making it extremely difficult to detect
  • User impersonation is possible, and is one of the adversary’s initial objectives. One of the ways this can be achieved is by compromising the SAML signing certificate after using privilege escalation

 

High-level recommendations

  • If you are using an affected version of SolarWinds Orion then you should assume a breach has taken place, regardless of any indicators of compromise being present
  • Devices monitored by affected SolarWinds products should be backed up and rebuilt, ensuring the SolarWinds hotfix is applied
  • If rebuilding is not possible then all SolarWinds binaries should be backed up and then blocked, removed or isolated
  • Block all internet-bound egress from devices running SolarWinds products. Where this is not possible, lock down the ACL to only permit the required traffic
  • Change the password (ensure this is strong and at least 25 characters in length) and disable/remove any accounts used by SolarWinds products. Be aware that the user accounts used by SolarWinds products are almost always over-privileged accounts
  • Ensure local accounts are also covered in the above recommendation, not just domain accounts. This should be extended to any device-based accounts, such as those used on switches, routers, wireless controllers, SAN, NAS, etc
  • Review logs for privilege account creation or privileges granted to existing accounts
  • Review logs for anomalous logins
  • Review logs for network traffic that may be command and control traffic (use the below links to gather the beacons, DNS records and IP addresses)
  • If you have the tooling in place, perform proactive threat hunting using the links below
  • Ensure MFA is being used where possible
  • Have all users change their passwords or force a password change
  • Ensure your EDR/AV protection is up to date, fully patched and then run a full scan
  • Ensure your operating systems and applications are up to date and fully patched
  • Unaffected builds of SolarWinds Orion should be patched as per the SolarWinds security advisory

 

Reference articles

 

Contact us

If you are concerned that you have been affected and would like to speak to our team of experts about remedial work, please email us at hello@transparity.com.