Solarwinds Supply Chain Attack (Sunburst Malware)

Name: ITC Secure Networking
Address: 10th Floor, 5 Churchill Pl, Canary Wharf, London, E14 5HU, United Kingdom
Telephone: 020 7517 3900
Price range: Competitive

Priority: Critical

Executive Summary:

A highly sophisticated attack using a trojanised version of SolarWinds’ Orion software has been discovered, affecting both private and public organisations globally.¹ The attack is believed to have started as early as Spring 2020 and is still ongoing, making this an imminent threat to any organisation using SolarWinds Orion.

The attackers are using sophisticated techniques to avoid detection once intrusion into a network is successful, but these techniques are not novel and offer opportunities for detection in certain cases.
FireEye, among others, have released Indicators of Compromise (IOCs) and detection signatures to allow defenders and threat hunters to monitor their networks and protect themselves against this attack.²
Solarwinds have confirmed that the affected versions of Orion are 2019.4 HF5 through 2020.2.1, released between March 2020 and June 2020; they recommend upgrading to version 2020.2.1 HF 1 as soon as possible, followed by 2020.2.1 HF 2 (to be released 2020-12-15) for additional security enhancements.³
ITC Secure is contacting any affected customers directly with specific information about any changes that are required.

Background:

On 8^th December 2020 FireEye published a threat research article detailing the unauthorised access of their Red Team tools, attributing the attack to “a highly sophisticated state-sponsored adversary”.⁴

In this article, FireEye assured the public that no zero-day exploits or novel techniques were among the tools, and much of the material had already been made publicly available.

The resulting incident response investigation uncovered an attack that FireEye are tracking as “UNC2452” using malware they have dubbed “SUNBURST”. The malware is a trojanised version of SolarWinds.Orion.Core.BusinessLayer.dll, which is digitally signed and distributed by SolarWinds, and communicates with malicious Command and Control (C2) servers using HTTP.

The malware remains dormant for a period of up to two weeks, after which it will attempt to resolve a subdomain of the address avsvmcloud[.]com in order to retrieve and execute commands. These include the ability to transfer and execute files, reboot and disable systems services on a target host, as well as produce a fingerprint (a profile of system information) of a target host. The information gathered by the malware is stored in legitimate configuration files, and its network activity masquerades as the Orion Improvement Program (OIP) protocol, making the malware very difficult to detect. These obfuscation techniques require a level of skill generally only seen with nation-state attackers, which is further evidenced by the fact that the malware also uses obfuscated techniques to identify security tools that are running as processes, services and drivers on a target host.

The list of SolarWinds customers potentially compromised by this attack includes an extensive list of high profile organisations, such as: the Office of the President of the United States; all five branches of the US military, as well as the Pentagon and NSA; the US State Department, Department of Justice and Department of Treasury; NASA; and many private organisations, including all ten of the top ten telecommunications companies in the US, the top five US accounting firms, more than 425 of the US Fortune 500, and hundreds of universities and colleges worldwide.⁵

UK organisations listed also include central government, defence agencies, and the NHS.⁶

At this early stage there is no clear attribution; however, it can be seen from the list of potential victims and level of sophistication that the likely goal of the attack campaign is theft of data valuable for an adversarial nation-state, such as state secrets, STEM research and intellectual property. This is unlike less sophisticated criminal attackers, who typically aim to steal the personal data of individuals.

Microsoft has released an advisory that includes steps for customers to protect themselves against nation-state attackers. In the advisory, Microsoft makes it clear that they have not identified any compromise of Microsoft products or services.⁷

Affected Products:

SolarWinds has confirmed that versions of the Orion Platform from 2019.4 HF 5 to 2020.2.1, inclusive, are affected. These versions were released between March 2020 and June 2020.

Prevent:

SolarWinds has released a hotfix (2020.2.1 HF 1), recommended for all customers to install as soon as possible. SolarWinds will also be releasing a second hotfix (2020.2.1 HF 2) on 15^th December 2020 to add further security enhancements.

For customers unable to apply the hotfix immediately, SolarWinds refers to their documentation on security best practices for the Orion Platform (which can be found at https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trust-center/resources/secure-configuration-in-the-orion-platform.ashx), the primary steps of which are to ensure the Orion Platform is installed behind firewalls, does not have internet access, and only the minimum necessary known ports are open.

React:

Affected organisations should update SolarWinds to the latest version, 2020.2.1 HF 1, as soon as possible, and update to 2020.2.1 HF 2 as soon as that release becomes available (expected 15^th December 2020).

Given the level of sophistication and unpredictability involved in a state-sponsored attack, ITC’s advice to defend against such threats in general would cover the spectrum of security domains and is, therefore, beyond the scope of this publication. However, aforementioned resources, such as Microsoft’s advisory, are a place to start. Our own Cyber Advisory consultants regularly perform cyber security assessments for organisations across numerous industry verticals and can assist in preparing a comprehensive and bespoke cybersecurity strategy.

For this specific attack, FireEye have released the IOCs found during their investigation and provide numerous Snort and Yara rules in their sunburst_countermeasures repository.² We recommend updating your existing security monitoring tools with these rules; ITC’s SOC has already begun implementing threat hunting capabilities based on these IOCs and will be contacting any affected customers accordingly. Major antivirus detection engines have already been updated with the relevant signatures and file hashes, so customers should check their antivirus products for the latest updates.