SolarWinds Breach Used to Infiltrate Customer Networks (Solarigate)

Published: 2020-12-14
Last Updated: 2020-12-15 13:22:11 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

[This is a developing story and will likely be updated as we learn more details. ]

We are preparing a webcast for 5 pm EST (22:00 UTC)

SolarWinds today announced that its product was apparently used to breach multiple high profile organizations [1].  One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach the network [6].

SolarWinds was apparently compromised early in 2020. The attackers used the access they gained to the SolarWinds network to add a backdoor to a key library that is part of SolarWinds. This modified library was delivered to selected SolarWinds customers via the normal SolarWinds update process. SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 are potentially affected (Solarwinds states that 2020.2.1 HF 1 is safe. CISA considers that version affected).

According to SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things.

Currently, the following names are used for the attack:

  • Microsoft labeled the attack "Solarigate" in Windows Defender.
  • FireEye refers to the backdoor as SUNBURST. The campaign is tracked as UNC2452.

What you should do at this point:

  1. Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
  2. CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8]
  3. Quick check for the following indicators:
    (1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or
    %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
    (2) if so, the malicious version uses this Singer and SingerHash:
         "Signer": "Solarwinds Worldwide LLC"
          "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"
    (3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
    (4) check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs)

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)

IOCs:

See the FireEye GitHub repository https://github.com/fireeye/sunburst_countermeasures
John Bambenek GitHub repo (IP Addresses) https://github.com/bambenek/research/tree/main/sunburst

 

 

[1] https://twitter.com/razhael/status/1338267165221396480/photo/1
[2] https://twitter.com/cyb3rco0kie/status/1338276872333889537?s=21
[3] https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818
[4] https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832
[5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132
[6] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
[7] https://github.com/fireeye/sunburst_countermeasures
[8] https://cyber.dhs.gov/ed/21-01/

---
Johannes B. Ullrich, Ph.D. Dean of Research, SANS.edu
Twitter|

4 comment(s)

Comments

Hi,

regarding the Signer Hash:

"Signer": "Solarwinds Worldwide LLC"
"SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"

I've checked in my installation (2020.2.1 Hotfix 1), and indeed I find this SignerHash (47d...), but I couldn't find any other abnormalities mentioned. Also the hash of the .DLL file itself is different as the ones posted everywhere.

I also verified other .DLLs in the directory, not only the SolarWinds.Orion.Core.BusinessLayer.dll, they all have the same SignerHash.

So, is this SignerHash a clear indicator for an attacked system?

Thanks,

Jeff
I believe there is an error in this summary. According to https://www.solarwinds.com/securityadvisory, the 2020.2.1 (note the dot-one at the end) is NOT compromised. Only the 2020.2 (no dot-one) up till HF 1.

If that is correct, then your installation should be safe (I hope, since I have the same version).
According to the CISA announcement: "SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors". I know this differs somewhat from SolarWinds' advice that states that 2020.2.1 HF 1 is secure. I will make this a bit more obvious in the article.
The FireEye Threat Research Blog mentions these domains. Does anyone have the IPs that these resolved to IN MARCH-MAY 2020?

.appsync-api.eu-west-1[.]avsvmcloud[.]com
.appsync-api.us-west-2[.]avsvmcloud[.]com
.appsync-api.us-east-1[.]avsvmcloud[.]com
.appsync-api.us-east-2[.]avsvmcloud[.]com

Diary Archives