Solarwinds Orion and Sunburst

Introduction

US departments of Commerce and Treasury were victims to the same threat vector that was exploited at FireEye. As organizations that have Solarwinds Orion installed conduct forensics on their environment, we will see the impact of this backdoor. Brian Krebs has posted a list of organizations that were using Orion in this blogpost U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

SolarWinds recently filed an SEC report indicating that, while they have over 300,000 customers, fewer than 18,000 customers were running the trojanized version of the Orion software.

My post Asset Management! Why is it Important in Cyber Security? highlights the importance of asset management and this attack is the prime example.

Who was behind this attack?

The stealth with which the perpetrators executed this attack has the signatures of Cozy Bear or APT29. Which seems to operate with a light malware footprint, avoids detection, prioritizing stealth, and going at lengths to blend with normal network activity. was behind this attack. APT29 is believed to the supported by Russia’s SVR or FSB.

However, it is still unclear who was behind this attack. Security researchers a busy pinning the tail on the donkey and are calling this donkey what they will. For instance, FireEye is calling this APT UNC2452, whereas Palo Alto Unit42 is calling it SolarStorm. to avoid crediting the wrong APT.

What should the customers do?

The backdoor, Sunburst, was introduced in Solarwinds Orion software builds 2019.4HF –> 2020.1.1 which were released between March 2020 and June 2020.

Solarwinds is advising their clients to update to version 2020.2.1.HF2, which is scheduled to be released on 15th December 2020.

Microsoft and FireEye have already released updates to their security platforms to detect and neutralize Sunburst.

How did this happen?

This is by far the most sophisticated supply chain attack. FireEye calls this malware sunburst

This malware has been embedded in SolarWinds.Orion.Core.BusinessLayer.dll by AP29 around March 2020. The impacted builds are 2019.4HF –> 2020.1.1 which were released between March 2020 and June 2020.

This malware remains dormant for up to a period of two weeks, after which it wakes up and makes contact to a domain avsvmcloud[.]com to retrieve and execute commands. The capabilities include the ability to transfer and execute files, reboot ad disable systems services on the target host. To avoid detection all communications are masqueraded as the Orion Improvement Program (OIP) protocol.

It has been observed delivering multiple payloads, mostly focused on memory-only droppers, such as the FireEye-dubbed TEARDROP and Cobalt Strike BEACON.

References