<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2659386&amp;fmt=gif">
Request a Demo
Cysiv Blog

Security Advisory: SolarWinds Supply Chain Attack

Back to Blog

SolarWinds – a network management software company – was compromised by an advanced persistent threat (APT) back in March 2020. However, the incident was only uncovered in December 2020. The incident is classified as a supply chain attack as it targets SolarWinds Orion platform users. The threat actor successfully compromised the Orion software build system between March and June 2020 and inserted a backdoor named Sunburst and a web shell named SuperNova into the software. The source code of the backdoor was not present in the source code repository of the Orion Platform products.

The incident affected many public and private organizations around the world for months before the first report was published last week. SolarWinds has currently identified 18,000 customers of its products that may potentially be affected by this incident. Many high-profile entities have disclosed that they were breached because of the incident a few days after the first report was published. Some of the victims are:

  • The US Treasury Department
  • The US Department of Commerce's National Telecommunications and Information Administration (NTIA)
  • The Department of Health's National Institutes of Health (NIH)
  • The Cybersecurity and Infrastructure Agency (CISA)
  • The Department of Homeland Security (DHS)
  • The US Department of State
  • The National Nuclear Security Administration (NNSA)
  • The US Department of Energy (DOE)
  • Microsoft

We expect that there will be many more breaches related to this supply chain attack discovered in the next few months. Cysiv has taken active measures to ensure its clients are protected from attackers that might attempt to exploit the SolarWinds breach, and this report summary the key information about the breach

Affected Products

The Sunburst backdoor and SuperNova web shell code was found in the SolarWinds products listed in Figure 1.

Figure 1 – Affected products

Orion Platform Version

File Version

SHA256

2020.2
2020.2 HF1

2020.2.5300.12432

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

2020.2 RC2

2020.2.5200.12394

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

2020.2 RC1

2020.2.100.12219

dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b

2019.4 HF5

2019.4.5200.9083

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

 

The Orion platform version 2019.4 (File version: 2019.4.5200.8890) has also been tampered with, however there is no sign of the Sunburst backdoor or SuperNova web shell in the specified version.

Sunburst Backdoor and SuperNova Web Shell

After being installed via the affected Orion platform software, the Sunburst backdoor will not communicate with its command and control (C2) servers immediately. It will only start its malicious actions after a dormant phase, which is up to two weeks in duration. The backdoor communicates with its C2 servers via hypertext transfer protocol (HTTP), and it mimics legitimate Orion platform software behaviors and network traffic to reduce suspicion. The backdoor is also equipped with anti-forensic and anti-detection techniques.

The backdoor is capable of retrieving and executing commands, including:

  • Collecting system information
  • Deleting, writing, transferring and execute files
  • Reading, setting, and deleting registry keys/values
  • Disable system services
  • Computing file hash
  • Rebooting the system

With these commands, the Sunburst backdoor is capable of stealing information and installing other malware on the infected host as well as supporting lateral movement in the network.

Although the Sunburst backdoor uses many advanced techniques to avoid detection, it currently determines its C2 server using a fixed domain for its domain generation algorithm (DGA), which makes it easy to detect. The generated domain is a subdomain of avsvmcloud[.]com. For example: 6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com. Therefore, a rule that matches CNAME DNS requests for any subdomain of avsvmcloud[.]com can detect the existence of the backdoor in the system.

SuperNova web shell was embedded in an Orion library named app_web_logoimagehandler.ashx.b6031896.dll, which exposes an HTTP API through the url path “/Orion/logoimagehandler.ashx”. The legitimate API only responds to queries with the url parameter “id” for a specific logo image. However, the trojanized version of the API also serves HTTP requests with four url parameters: “clazz”, “method”, “codes”, and “args”. The web shell will compile the parameters and execute the code in memory on the fly.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently revealed that the threat actor also uses other techniques in their kill chain. For example, abusing security assertion markup language (SAML) tokens for data exfiltration via authorized application programming interfaces (APIs) or stolen secret keys to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).

Mitigation

It is recommended that any company that has installed the affected SolarWinds products should upgrade the software immediately as follows:

  • Orion platform version 2019.4 HF 5 should be upgraded to 2019.4 HF6 (14 Dec 2020)
  • Orion platform version 2020.2, 2020.2 HF1, 2020.2 RC2, and 2020.2 RC1 should be upgraded to 2020.2.1 HF2.

The users of SolarWinds products are also advised to monitor their systems to determine if they have been breached. If a CNAME DNS request for any subdomain of avsvmcloud[.]com is observed in the network, assume the environment has been compromised and start incident response procedures immediately. 

If the following behaviors are observed in the network, assume the environment has been compromised and start incident response procedures immediately:

  • CNAME DNS requests for any subdomain of avsvmcloud[.]com
  • HTTP requests to the url path “/Orion/logoimagehandler.ashx” with four url parameters (in any order): “clazz”, “method”, “codes”, and “args”.

We expect that removing the threat actors from compromised systems will be challenging for organizations as there could be additional malware installed in the systems. Therefore, the organizations without the expertise to investigate and respond to the incidents should immediately seek help from cyber security companies.

Protection Provided by Cysiv

Cysiv SOC-as-a-Service provides protection from a broad range of threats:

  • 24x7 monitoring provides organizations with real time alerts and quick isolation and remediation to contain a threat during the early stages of an attack to prevent a compromise, data loss or breach.
  • Human-led threat hunting helps to identify suspicious activity and digital footprints that are indicative of an intrusion.
  • Anti-malware that may already be deployed (or can be deployed by Cysiv) on endpoints, for users, and that can be monitored as part of the Cysiv service, will constantly monitor for abnormal activities and block any connection to suspicious URLs, IPs and domains. 
  • Anti-malware that may already be deployed (or can be deployed by Cysiv) on servers and workloads, and that can be monitored as part of the Cysiv service, uses a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless malware. Additionally, it will monitor events and quickly examines what processes or events are triggering malicious activity.
  • Network security appliances that may already be deployed (or can be deployed by Cysiv) and that can be monitored as part of the Cysiv service will detect malicious attachments and URLs, and are able to identify suspicious communication in over 100 different protocols over any port. These appliances can also detect remote scripts even if they’re not being downloaded at the physical endpoint.

References