By Bhabesh Raj Rai, Associate Security Analytics Engineer
On December 13, 2020, CISA released Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise” in response to the exploitation of SolarWinds Orion products that allows an attacker to gain access to network traffic management systems. CISA has advised agencies to wait until further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software.
SolarWinds has stated in their security advisory that they were investigating an incident that appears to be the product of a highly sophisticated, targeted and manual supply chain attack by a nation-state. SolarWind’s SEC filing on December 14 states fewer than 18,000 customers were impacted by the supply chain hack and stated that the backdoor was inserted within the Orion products and existed in updates released between March and June and was introduced as a result of a compromise of the Orion software build system. It was later known that hackers had already conducted a test run back by adding empty classes in October of last year.
Disconnecting or turning off affected Orion devices is the only known mitigation measure currently available. CISA advises affected agencies to forensically image system memory and/or host operating systems hosting all instances of affected SolarWinds Orion versions and to analyze stored network traffic for indicators of compromise (IoCs).
SolarWinds is a network management system that monitors any systems or devices on the environment including AD, Office 365, AWS, Azure, ESXi and routers. The breach is extremely intrusive because it gives attackers privileged access to all aforementioned systems. Microsoft has stated that more than 40 of its customers were targeted for further exploitation and also highlighted how the list of victims includes not only government agencies, but security and technology firms as well as NGOs, think tanks, etc.
It’s no surprise that an APT attacked a provider like SolarWinds that has access to crucial systems and is a major contractor for the U.S. government. The attackers inserted a backdoor in March and their activity was only recently discovered, meaning the worst-case scenario is the attackers have been lurking inside critical systems, including governments and telecommunications stealing data and spying on employees for months.
FireEye and Microsoft have already released technical reports with instructions on how to identify malicious activity of the malware-laced SolarWinds Orion products. FireEye has also released IoCs to help hunt for SUNBURST– their nomenclature for this malware distributed by trojanized Orion products. Additional IoCs for SUNBURST from other sources are now also available in GitHub.
On December 14, Volexity released a report on how a threat actor, which they named Dark Halo, leveraged this SolarWinds backdoor to breach a U.S.-based think tank organization and conducted a targeted theft of emails from specific employees. Volexity noted on that report that its investigations are directly related to the FireEye report based on overlap between C2 domains and other related indicators.
Using threat intel to detect exploitation in LogPoint
Even with the best tools, organizations can’t completely prevent an ATP attack. When an attack does happen, organizations need to know how to use the available threat intelligence to detect the IOCs.
FireEye’s report advised defenders to alert on loading of NetSetupSvc.dll by svchost which we can easily hunt using Sysmon.
norm_id=WindowsSysmon label=Image label=Load parent_image="C:WindowsSystem32svchost.exe" image="*NetSetupSvc.dll"
Any suspicious file drops by solarwinds.businesslayerhost.exe is an indicator of an attacker using the backdoor.
norm_id=WindowsSysmon event_id=11 source_image="*solarwinds.businesslayerhost.exe" file IN ["*.exe","*.ps1","*.jpg","*.png","*.dll"]
Hashes provided in the released IoCs can be used with Sysmon’s process creation logs for match
norm_id=WindowsSysmon event_id=1 hash IN SOLARWINDS_HASHES
On December 15, a coalition of tech companies were successful to siege and sinkhole avsvmcloud[.]com which was the first domain pinged by the malware after sitting dormant for 12-14 days. DNS lookup logs from various sources like Sysmon, firewalls and Cisco Umbrella can be used to hunt for any domain lookup match from IoCs.
((norm_id=WindowsSysmon label=DNS label=Query) OR label=DNS) query IN SOLARWINDS_DOMAINS) OR ((device_category=Firewall OR event_category=DNS) domain IN SOLARWINDS_DOMAINS)
Process creations of solarwinds.businesslayerhost.exe can be looked for to detect any malicious activity like spawning of PowerShell.
norm_id=WindowsSysmon event_id=1 parent_image="*solarwinds.businesslayerhost.exe" -image IN["*SolarWindsOrionExportToPDFCmd.Exe","*SolarWinds.CredentialsSolarWinds.Credentials.Orion.WebApi.exe",
"*SolarWindsOrionTopologySolarWinds.Orion.Topology.Calculator.exe","*SolarWindsOrionDatabase-Maint.exe",
"*SolarWinds.Orion.ApiPoller.ServiceSolarWinds.Orion.ApiPoller.Service.exe","*WindowsSysWOW64WerFault.exe"]
We can specifically look for encoded PowerShell commands executed by solarwinds.businesslayerhost.exe
norm_id=WinServer event_id=4688 parent_image="*solarwinds.businesslayerhost.exe" image="*powershell.exe" command IN ["*-ec *", "* -enc*"]
After gaining backdoor access, attackers used renamed ADFind for domain enumeration which can be detected by looking for its command line arguments.
norm_id=WinServer event_id=4688 parent_process="*cmd.exe" command="* -f (*"
IDS/IPS like Snort or Suricata can also be used by using rules from FireEye’s released IoCs
(norm_id=Snort OR norm_id=SuricataIDS) message IN ["APT.Backdoor.MSIL.SUNBURST", "Backdoor.BEACON"]
LogPoint has already released three lists: SOLARWINDS_HASHES, SOLARWINDS_DOMAINS, SOLARWINDS_URLS and SOLARWINDS_IPS that contain IoCs released by FireEye as well alerts that help in detection based on IoCs and suspicious activity.
While investigating the SolarWinds hack, it was discovered that attackers had also created a sophisticated, in-memory webshell, named SUPERNOVA, inserted into Orion’s code base. However it has been concluded to be inserted by a different threat actor unrelated to the supply chain compromise. By using the sigma rule for SUPERNOVA, we can easily create detections based of logs from Firewall, Proxy servers, etc.
(url='*logoimagehandler.ashx*clazz*' OR resource='*logoimagehandler.ashx*clazz*')
Activate a full incident response
As IoCs continue to roll out, if you are using an affected version of SolarWinds, assume you are already compromised and immediately activate full incident response. Perform an enterprise-wide IoC sweep first to look for any matches and then proceed to threat hunting with the SolarWinds hosts as the initial infection vector. Also, make sure to temporarily remove exclusion folders related to Orion from EDR/AV so that any malicious DLLs can be scanned by them.
The SolarWinds supply chain hack is so devastating because it gives attackers a wide range of access to almost all systems in the environment. As stated by FireEye, the threat actor using the backdoor had impeccable operational security and in many cases used dedicated infrastructure per intrusion.
APTs use continuous and sophisticated hacking techniques to gain access, indicating how valuable the supply chain hack was to the nation-state attackers. Organizations affected by the compromise are undergoing full incident response by digging into their logs from March onwards and the results may help reveal the threat actor’s motive behind the supply chain compromise.