Tracking UNC2452 / SUNBURST / SOLORIGATE
The SolarWinds breach is still unfolding, but new updates show that this will be the biggest hack of all time, and its because of the public password on their github, “SolarWinds123“.
On December 13th, SolarWinds disclosed that attackers inserted malware on a SolarWinds server that handles the Orion platform. This Orion platform is used by the customers shown below, and more that are not on this list.
In the filings document to the U.S. Securities and Exchange Commission, Solarwinds states the following:
“SolarWinds values the privacy and security of its over 300,000 customers and is working closely with customers of its Orion products to address this incident. On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000. The communication to these customers contained mitigation steps, including making available a hotfix update to address this vulnerability in part and additional measures that customers could take to help secure their environments. SolarWinds is also preparing a second hotfix update to further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020. For the nine months ended September 30, 2020, total revenue from the Orion products across all customers, including those who may have had an installation of the Orion products that contained this vulnerability, was approximately $343 million, or approximately 45% of total revenue.”
This means that approx. 18,000 customers had been affected by this attack. The Orion platform is used by the customers shown below, and around ~17,900 more that are not on this list.
On (12/13/2020), FireEye disclosed they had been breached, along with their findings on the matter. FireEye is tracking the actors behind the campaign as UNC2452.
On (12/14/2021), the U.S. Department of Homeland Security and U.S. Treasury/Commerce had been infected.
On (12/17/2021), the U.S. Department of Energy was affected, where the U.S. keeps its Nuclear Weapons.
On (1/4/2021), Microsoft admitted that the attackers viewed their source code. This is concerning since this allows attackers to view how code is functioning, rather than having to rely on reverse engineering to build exploits.
As of the time of this blog (1/06/2021), the U.S. Justice Department states that they have been infected and e-mails have been accessed.
Now time to get, technical…
Attackers most likely found the github password back in early Spring 2020, gained access and modified the Orion IT monitoring software. Then once clients updated their Orion software to the new version with the backdoor, the attackers had access to infiltrate any of the 18,000 clients that were mentioned above.
The DLL, SolarWinds.Orion.Core.BusinessLayer.dll contains a backdoor that communicates via HTTP to the attackers servers. This file is the only known compromised SolarWinds component so far, and was installed by updating between March and June 2020. The versions affected are the 2019.4 version, through 2020.2.1 HF1.
After a dormant period of 2 weeks, the malware will attempt to resolve a subdomain for (avsvmcloud[.]com)
After the malware attempts to resolve the subdomains at (avsvmcloud[.]com), the encoded DNS request responds with a CNAME record to then point to a Command & Control domain.
- During the C&C phase, the Sunburst Malware communicates with the C&C server by sending encoded DNS requests. These requests contain information about an infected machine; so if the attackers say its a GO, the DNS response includes a CNAME record pointing to a second level C&C server.
- C2 domains that were found during SUNBURST incidents, including CNAME records, and subsequent phases are shown below:
The SolarWinds Orion platform keeps looking more grim, as another vulnerability has come out. This is the release of CVE-2020-10148 which identifies an unauthenticated, remote code execution weakness in the SolarWinds Orion API.
The SUPERNOVA malware is not combined with the Orion platform. This webshell is a trojanized variant of a legit library, “app_web_logoimagehandler.ashx.b6031896.dll” which was specifically written to be used on the SolarWinds Orion Platform.
While investigation was undergoing for Sunburst, SolarWinds found that there was another vulnerability that had been actively exploited, now dubbed SUPERNOVA. This SUPERNOVA malware is thought to be created by a different APT group.
Indicators of Compromise:
The SolarWinds Orion App: app_web_logoimagehandler.ashx.b6031896.dll
- The best solution is to assume the worst; all hosts monitored by the Orion systems are compromised.
- Reset all credentials used by or stored in the SolarWinds Orion system, and all systems in the same environment as the Orion system.
- From the ground up, rebuild all hosts that were monitored by the SolarWinds Orion console from trusted sources.
- Restrict local administrator privileges on all systems, including the SolarWinds servers.
- Block all internet egress from anything that has SolarWinds software.
- Reset all two factor authentication methods that were associated with any Orion systems, or hosts that shared the same environment.