SolarWinds: Supply Chain Attack

  • by

What’s Happened? 

There has been a massive and very sophisticated supply chain cyberattack, recently discovered in the US, allegedly perpetrated by an adversary nation-state using compromised Orion business software of US based IT management software firm ‘SolarWinds’, which was targeted against the US government, its agencies and several other private companies. This is now likely becoming a global cyberattack as various companies continue to analyse and discover their exposure and extent of hack. 

How did it Happen? 

This global intrusion campaign involved hackers compromising the infrastructure of SolarWinds through a series of events as mentioned below: 

  • The attackers gained access to elevated credentials through the vulnerable source code of the Orion platform of SolarWinds. The Orion Platform is used by US federal agencies and many Fortune 500 companies to monitor the health of their IT networks. 
  • Once in the network, the attacker acquires administrative permissions to forge trusted SAML tokens to impersonate any of the organization’s existing users and accounts and make API calls with the permission assigned to that application. 
  • The attackers further used this access to distribute trojanized software updates to SolarWinds customers. This trojanized component called SUNBURST is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.  
  • The backdoor was used to deliver a malware dropper called TEARDROP, which after an initial dormant period, started retrieving and executing commands by masquerading its network traffic and blending in with the legitimate SolarWinds activity. 
  • To avoid detection, attackers used temporary file replacement techniques to remotely execute their tools by following the delete-create-execute-delete-create pattern and keeping their malware footprint very low during lateral movement. 
  • As customers install this counterfeit update, the malware will attempt to resolve a Command and Control (C2) domain, mimicking normal SolarWinds API communications. Thus, compromising millions of machines across the globe successfully. 
  • Hacked networks were seen communicating with a malicious domain name registered under GoDaddy. avsvmcloud[.]com – was one of several domains the attackers had set up to control affected systems.  

Mitigation Strategy 

FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. Domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers.  

The control over the domain was transferred to Microsoft and the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate under some circumstances, i.e.: Depending on the IP address returned when the malware resolves avsvmcloud[.]com, the malware would terminate itself and prevent further execution. 

The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. Therefore, uncovering the malicious IP addresses that may be masquerading as the organization. 

Examination of SMB logs reveal the access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time using variable file names. 

SolarWinds issued a security advisory urging its customers to update to version 2020.2 HF 1 of its Orion Platform. It also released an additional hotfix 2020.2.1 HF 2 on Orion. 

Recommendations 

  • We should consider mapping your attack surface since major business partners (Microsoft, CISCO, Intel) were compromised in the supply chain attack. 
  • Limit destinations on the edge, i.e.: DNS, proxy and think Zero-Trust networking. 
  • Threat Intel team to conduct threat hunts across the length and breadth of the corporate network and prioritize unusual activities logged during volumetric analysis of events. 
  • Sensor Management Team to alert on events by creating new SIEM rules based on the signatures revealed by FireEye, CISA and several public institutions to manage our attack surface better. 
  • SOC to monitor for intrusions and log events continuously and the Incident Response team to investigate as required.  
  • Vulnerability Management team to patch the SaaS applications regularly to prevent supply chain attacks. 
  • The need for security should be considered as a part of the vendor selection process.