In June 2020, SolarWinds, a software development company based out of Austin, Texas, reported a breach in their supply chain for Orion IT monitoring and management software, also known as the “Sunburst” [1] or “Solorigate” [3] attack. This breach is significant because SolarWinds and its Orion software are used by over 320,000 companies including Microsoft, Intel, Cisco and to some extent federal agencies such as The Federal Reserve, National Security Agency (NSA), The Centers for Disease Control (CDC) and potently even The Office of the President of the United States[4]. The attack was well thought out and meticulously executed to go undetected for months by cybersecurity professionals. Thousands of SolarWinds customers have fallen victim to this attack and potentially hundreds of thousands of their systems are now infected with malware, trojans, and other malicious software. Fortunately, there is hope for the users of SolarWinds products now that the attack has been detected and the top cyber professionals are deconstructing the attack.
Vulnerability
Attackers used a digitally signed dynamic link library (DLL) file SolarWinds.Orion.Core.BusinessLayer.dll “that contains a backdoor that communicates via HTTP to third party servers” [1]. Once the DLL file is on a system, it would remain dormant for up to two weeks, then “it retrieves and executes commands, called “Jobs”, that includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services” [1]. The malware hid its tracks by disguising itself as the “Orion Improvement Program (OIP) protocol” [1] which allowed the malware to move its stolen data around unseen. It did this using several “blocklists to identify forensic and anti-virus tools via processes, services, and drivers” [1].
Technical Breakdown
Solorigate is being hailed as the most sophisticated cyber-attack in history. The Solorigate attack caught a lot of companies off guard. Adversaries hid the malicious code well by placing it in a method of the DLL file named Refresinternal. This method was a part of a class that runs a task named Background Inventory, which then runs the malicious code. The backdoor was stored in the OrionImprovementBusinessLayer and consisted of 13 subclasses and 16 methods blended in with the normal code. To make it even harder to detect, “the strings in the backdoor are compressed and encoded in Base64, or their hashes are used instead” [3].
When loaded, the malicious code would first go through an initial reconnaissance phase where it would look for red flags that would lead to is detection. It would make sure that some time had passed during these checks since it was installed, usually 12 to 14 days. It would also make sure it was not in a test environment. Solorigate would also look for security software that might be able to detect its actions on the system. If any of the checks failed, then the backdoor terminates to avoid detection.
After Solorigate goes through its reconnaissance phase, it becomes a more typical attack. It uses a command-and-control (C2) server to execute commands and send back information to the attackers. The C2 domain created by Solorigate comprises four parts, three of which are hardcoded, with the last one being dynamically generated after some information is pulled from the system. The domain [dynamic_part.appsync-api.one of (eu-west-1, us-west-1, us-east-1, us-east-2).avsvmcloud.com] would be created with the three hardcoded parts following the dynamic part which was generated by hashing together the physical address, domain name, and MachineGuid registry value of the infected system. Solorigate also creates a partly random URL that is requested by the C2 domain. Lastly, the Solorigate would create a JavaScript Object Notation (JSON) file with this information included in it and some non-relevant data and send it all to the C2 server. If the communication is successful, then the C2 server would send an encoded response with commands for it to execute. “In a nutshell, these commands allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or exit” [3]. After Solorigate had backdoor access, the hackers would use standard tactics such as privilege escalation, exploration, and credential theft to pivot and gather information. As more companies finish their investigations, we will see more details about the similarities and differences of these attacks.
Impact
SolarWinds has stated that around 18,000 of its customers were affected by the attack. As there are still ongoing investigations, the full scope of this attack is yet to be known. On some of the systems, the DLL file also delivered a “memory-only dropper” dubbed “TEARDROP” by FireEye and another Malware by the name of Cobalt Strike Beacon.
Mitigation
Without knowing the full extent of the damage of this attack, prevention of further infection and quarantining of possible infected servers is the best method of mitigation at this point. At a minimum, changing the password of any account accessing an infected/possible infected system is necessary. Currently, it is not recommended that you apply any upgrade to an infected system. It could destroy any forensic evidence that could be used in the investigation. It would be better to isolate that system and build up a new system to replace it with the upgraded protections. Using security tools such as Microsoft 365 Defender and Azure Sentinel and operating under the assumption that your system is already breached are ways that security professionals can mitigate the effects of this level of an attack.
Relevance
With this attack being as widespread as it is, we will likely be seeing the consequences for years to come. The attackers gained access to some high-level targets in the Department of Defense (DoD) and could have potentially left backdoors for later access or future attacks. Not many customers of SolarWinds have stated what was lost or fully accessed at this point, presumably because most of them are still investigating the attack and working on countermeasures to prevent any further damage.
References
[1] FireEye. “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.” FireEye, 13 Dec. 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.
[2] Seals, Author: Tara, and Tara Seals. “SolarWinds Hack Potentially Linked to Turla APT.” Threatpost English Global Threatpostcom, 11 Jan. 2021, 12:53PM, threatpost.com/solarwinds-hack-linked-turla-apt/162918/.
[3] “Deep Dive into the Solorigate Second-Stage Activation: From SUNBURST to TEARDROP and Raindrop.” Microsoft Security, 25 Jan. 2021, www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
[4] Seals, A. T., & Seals, T. SolarWinds Hack Potentially Linked to Turla APT. Threatpost English Global threatpostcom. https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/.