SANS Internet Storm Center

SolarWinds Breach Used to Infiltrate Customer Networks (Solarigate)
[This is a developing story and will likely be updated as we learn more details. ] We are preparing a webcast for 5 pm EST (22:00 UTC) SolarWinds today announced that its product was apparently used to breach multiple high profile organizations [1]. One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach the network [6]. SolarWinds was apparently compromised early in 2020. The attackers used the access they gained to the SolarWinds network to add a backdoor to a key library that is part of SolarWinds. This modified library was delivered to selected SolarWinds customers via the normal SolarWinds update process. SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 are potentially affected (Solarwinds states that 2020.2.1 HF 1 is safe. CISA considers that version affected). According to SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things. Currently, the following names are used for the attack: Microsoft labeled the attack "Solarigate" in Windows Defender. FireEye refers to the backdoor as SUNBURST. The campaign is tracked as UNC2452. What you should do at this point: Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network) CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8] Quick check for the following indicators: (1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll (2) if so, the malicious version uses this Singer and SingerHash: "Signer": "Solarwinds Worldwide LLC" "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4" (3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise (4) check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs) The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4] The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com) IOCs: See the FireEye GitHub repository https://github.com/fireeye/sunburst_countermeasures John Bambenek GitHub repo (IP Addresses) https://github.com/bambenek/research/tree/main/sunburst [1] https://twitter.com/razhael/status/1338267165221396480/photo/1 [2] https://twitter.com/cyb3rco0kie/status/1338276872333889537?s=21 [3] https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818 [4] https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832 [5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132 [6] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [7] https://github.com/fireeye/sunburst_countermeasures [8] https://cyber.dhs.gov/ed/21-01/ --- Johannes B. Ullrich, Ph.D. Dean of Research, SANS.edu Twitter\| I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022	Johannes 4349 Posts ISC Handler Dec 15th 2020
Thread locked Subscribe	Dec 15th 2020 1 year ago
Hi, regarding the Signer Hash: "Signer": "Solarwinds Worldwide LLC" "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4" I've checked in my installation (2020.2.1 Hotfix 1), and indeed I find this SignerHash (47d...), but I couldn't find any other abnormalities mentioned. Also the hash of the .DLL file itself is different as the ones posted everywhere. I also verified other .DLLs in the directory, not only the SolarWinds.Orion.Core.BusinessLayer.dll, they all have the same SignerHash. So, is this SignerHash a clear indicator for an attacked system? Thanks, Jeff	Anonymous
Quote	Dec 14th 2020 1 year ago
I believe there is an error in this summary. According to https://www.solarwinds.com/securityadvisory, the 2020.2.1 (note the dot-one at the end) is NOT compromised. Only the 2020.2 (no dot-one) up till HF 1. If that is correct, then your installation should be safe (I hope, since I have the same version).	Anonymous
Quote	Dec 15th 2020 1 year ago
According to the CISA announcement: "SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors". I know this differs somewhat from SolarWinds' advice that states that 2020.2.1 HF 1 is secure. I will make this a bit more obvious in the article.	Johannes 4349 Posts ISC Handler
Quote	Dec 15th 2020 1 year ago
The FireEye Threat Research Blog mentions these domains. Does anyone have the IPs that these resolved to IN MARCH-MAY 2020? .appsync-api.eu-west-1[.]avsvmcloud[.]com .appsync-api.us-west-2[.]avsvmcloud[.]com .appsync-api.us-east-1[.]avsvmcloud[.]com .appsync-api.us-east-2[.]avsvmcloud[.]com	Anonymous
Quote	Dec 15th 2020 1 year ago

[This is a developing story and will likely be updated as we learn more details. ]

We are preparing a webcast for 5 pm EST (22:00 UTC)

SolarWinds today announced that its product was apparently used to breach multiple high profile organizations [1]. One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach the network [6].

SolarWinds was apparently compromised early in 2020. The attackers used the access they gained to the SolarWinds network to add a backdoor to a key library that is part of SolarWinds. This modified library was delivered to selected SolarWinds customers via the normal SolarWinds update process. SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 are potentially affected (Solarwinds states that 2020.2.1 HF 1 is safe. CISA considers that version affected).

According to SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things.

Currently, the following names are used for the attack:

Microsoft labeled the attack "Solarigate" in Windows Defender.
FireEye refers to the backdoor as SUNBURST. The campaign is tracked as UNC2452.

What you should do at this point:

Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8]
Quick check for the following indicators:
(1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or
%WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
(2) if so, the malicious version uses this Singer and SingerHash:
"Signer": "Solarwinds Worldwide LLC"
"SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"
(3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
(4) check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs)

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)

IOCs:

See the FireEye GitHub repository https://github.com/fireeye/sunburst_countermeasures
John Bambenek GitHub repo (IP Addresses) https://github.com/bambenek/research/tree/main/sunburst

[1] https://twitter.com/razhael/status/1338267165221396480/photo/1
[2] https://twitter.com/cyb3rco0kie/status/1338276872333889537?s=21
[3] https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818
[4] https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832
[5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132
[6] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
[7] https://github.com/fireeye/sunburst_countermeasures
[8] https://cyber.dhs.gov/ed/21-01/

---
Johannes B. Ullrich, Ph.D. Dean of Research, SANS.edu
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4349 Posts
ISC Handler

Dec 15th 2020

Hi,

regarding the Signer Hash:

"Signer": "Solarwinds Worldwide LLC"
"SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"

I've checked in my installation (2020.2.1 Hotfix 1), and indeed I find this SignerHash (47d...), but I couldn't find any other abnormalities mentioned. Also the hash of the .DLL file itself is different as the ones posted everywhere.

I also verified other .DLLs in the directory, not only the SolarWinds.Orion.Core.BusinessLayer.dll, they all have the same SignerHash.

So, is this SignerHash a clear indicator for an attacked system?

Thanks,

Jeff

Anonymous

I believe there is an error in this summary. According to https://www.solarwinds.com/securityadvisory, the 2020.2.1 (note the dot-one at the end) is NOT compromised. Only the 2020.2 (no dot-one) up till HF 1.

If that is correct, then your installation should be safe (I hope, since I have the same version).

Anonymous

According to the CISA announcement: "SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors". I know this differs somewhat from SolarWinds' advice that states that 2020.2.1 HF 1 is secure. I will make this a bit more obvious in the article.

Johannes

4349 Posts
ISC Handler

The FireEye Threat Research Blog mentions these domains. Does anyone have the IPs that these resolved to IN MARCH-MAY 2020?

.appsync-api.eu-west-1[.]avsvmcloud[.]com
.appsync-api.us-west-2[.]avsvmcloud[.]com
.appsync-api.us-east-1[.]avsvmcloud[.]com
.appsync-api.us-east-2[.]avsvmcloud[.]com

Anonymous