Posted on December 15, 2020 by Mike Smith
A recent update released by SolarWinds for their Orion IT monitoring and management software contains malware attached, which will open a backdoor for the attackers to enter their target’s network. Using this method, they have already gained access to several private and public organizations, beginning as early as Spring of 2020, and is still running rampant on a global scale. The attack’s resulting damage includes potential data theft, escalation of privileges, and lateral movement inside an otherwise secure internal network. While this campaign’s group has yet to be revealed, it has been established that they are highly skilled and actively striving to cause major compromises to their victims’ operational security.
The malware, now dubbed SUNBURST, is difficult to detect but not altogether impossible. Several Indicators of Compromise (IOCs) have already been established that will help us know whether this attack has taken place on your network.
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.
The attack’s execution is simple: An update package provided by SolarWinds’ legitimate website for their SolarWinds Orion devices contains a trojan that will open up a backdoor for attackers to enter in through when the update is installed.
A worrying trend we witnessed this year was the increasing use of “double attacks” involving ransomware. While the name can be seen as something of a misnomer, the actual issue comes with groups such as those classified as Advanced Persistent Threats (APTs) increasing the capabilities of their ransomwares to allow for the exfiltration of data in addition to encrypting it. Usually, the parties in question will then threaten to keep the data encrypted and release that data via multiple avenues unless the ransom in question is paid. It is understandable that this can be seen as a double whammy for organizations who need to keep their data secure.
As stated previously, there are several IoCs that we can employ in our threat hunting to establish whether this attack has been perpetrated on your network. A handful of hashes and URLs associated with the trojan have been compiled that we can look for in our log activity history, as well as typical behavior from the network once the backdoor has been put into place, such as using the HTTP protocol to connect out to the internet or the regular 60-second interval we see the host communicating back to the Command and Control (C2) center.
There are still more indicators of compromise we plan to persistently investigate over the coming days to see whether the network/SolarWinds devices have been compromised. Here are several that FireEye has specifically suggested that we will be using to look for any sign of this attack on your network:
We at Braintrace have our security engineers conducting regular threat hunts at all times of the day specifically tailored to find any indication that this attack has taken place in our customers’ networks. We have powerful network monitoring tools, including our proprietary Dragonfly software, at our disposal, all of which will be used expediently and to their fullest potential to search for any IoCs associated with the attack.
The indicators of compromise on this issue are still being fleshed out, and we will continue to monitor the situation as more becomes known and available. Here are some that we know to be effective and which we will use in our threat hunting efforts:
|SHA256||FILE VERSION||DATE FIRST SEEN|