Law Technology Digest -- Home

Sunburst: the SolarWinds Orion Vulnerability

Posted on December 15, 2020 by Mike Smith

OVERVIEW

A recent update released by SolarWinds for their Orion IT monitoring and management software contains malware attached, which will open a backdoor for the attackers to enter their target’s network. Using this method, they have already gained access to several private and public organizations, beginning as early as Spring of 2020, and is still running rampant on a global scale. The attack’s resulting damage includes potential data theft, escalation of privileges, and lateral movement inside an otherwise secure internal network. While this campaign’s group has yet to be revealed, it has been established that they are highly skilled and actively striving to cause major compromises to their victims’ operational security.

The malware, now dubbed SUNBURST, is difficult to detect but not altogether impossible. Several Indicators of Compromise (IOCs) have already been established that will help us know whether this attack has taken place on your network.

The Attack

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.

The attack’s execution is simple: An update package provided by SolarWinds’ legitimate website for their SolarWinds Orion devices contains a trojan that will open up a backdoor for attackers to enter in through when the update is installed.

A worrying trend we witnessed this year was the increasing use of “double attacks” involving ransomware. While the name can be seen as something of a misnomer, the actual issue comes with groups such as those classified as Advanced Persistent Threats (APTs) increasing the capabilities of their ransomwares to allow for the exfiltration of data in addition to encrypting it. Usually, the parties in question will then threaten to keep the data encrypted and release that data via multiple avenues unless the ransom in question is paid. It is understandable that this can be seen as a double whammy for organizations who need to keep their data secure.

METHODOLOGY

As stated previously, there are several IoCs that we can employ in our threat hunting to establish whether this attack has been perpetrated on your network. A handful of hashes and URLs associated with the trojan have been compiled that we can look for in our log activity history, as well as typical behavior from the network once the backdoor has been put into place, such as using the HTTP protocol to connect out to the internet or the regular 60-second interval we see the host communicating back to the Command and Control (C2) center.

There are still more indicators of compromise we plan to persistently investigate over the coming days to see whether the network/SolarWinds devices have been compromised. Here are several that FireEye has specifically suggested that we will be using to look for any sign of this attack on your network:

Tracking login activity to see if one system is authenticating to several other systems is not normal behavior from a legitimate user.
If an attacker has gained access to the network with compromised credentials, they typically try to move laterally using multiple different credentials and access even more systems.
The credentials used for lateral movement are different from those used for remote access. Such different credentials from the same external/suspicious IP address
Another strategy employed by the attacker is to replace legitimate files, tools, and utilities with their own once they have gained access to their target’s environment. Looking through logs of previous SMB sessions is a good idea to see if any deletion of valid files or new, malicious files has taken place.
Querying internet-wide scan data sources for an organization’s hostnames will help us uncover unsafe IP addresses that might be trying to pretend to be the actual organization.
The attacker’s choice of IP addresses is also optimized to avoid detection. The attacker primarily uses only IP addresses originating from the same country as the victim, taking advantage of Virtual Private Servers, so domestic IP addresses must also be treated as potential sources of malicious behavior.

MOVING FORWARD

We at Braintrace have our security engineers conducting regular threat hunts at all times of the day specifically tailored to find any indication that this attack has taken place in our customers’ networks. We have powerful network monitoring tools, including our proprietary Dragonfly software, at our disposal, all of which will be used expediently and to their fullest potential to search for any IoCs associated with the attack.

The indicators of compromise on this issue are still being fleshed out, and we will continue to monitor the situation as more becomes known and available. Here are some that we know to be effective and which we will use in our threat hunting efforts:

URLs:

.appsync-api.eu-west-1[.]avsvmcloud[.]com

.appsync-api.us-west-2[.]avsvmcloud[.]com

.appsync-api.us-east-1[.]avsvmcloud[.]com

.appsync-api.us-east-2[.]avsvmcloud[.]com

avsvmcloud[.]com

IPs

96.31.172.0/24

131.228.12.0/22

144.86.226.0/24

SHA256	FILE VERSION	DATE FIRST SEEN
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77	2019.4.5200.9083	Mar-20
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b	2020.2.100.12219	Mar-20
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed	2020.2.100.11831	Mar-20
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77	Not available	Mar-20
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c	2020.4.100.478	Apr-20
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134	2020.2.5200.12394	Apr-20
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6	2020.2.5300.12432	May-20
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc	2019.4.5200.8890	Oct-19
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af	2019.4.5200.8890	Oct-19