Security Advisory: SolarWinds Supply Chain Attack

SolarWinds – a network management software company – was compromised by an advanced persistent threat (APT) back in March 2020. However, the incident was only uncovered in December 2020. The incident is classified as a supply chain attack as it targets SolarWinds Orion platform users. The threat actor successfully compromised the Orion software build system between March and June 2020 and inserted a backdoor named Sunburst and a web shell named SuperNova into the software. The source code of the backdoor was not present in the source code repository of the Orion Platform products.

The incident affected many public and private organizations around the world for months before the first report was published last week. SolarWinds has currently identified 18,000 customers of its products that may potentially be affected by this incident. Many high-profile entities have disclosed that they were breached because of the incident a few days after the first report was published. Some of the victims are:

• The US Treasury Department
• The US Department of Commerce's National Telecommunications and Information Administration (NTIA)
• The Department of Health's National Institutes of Health (NIH)
• The Cybersecurity and Infrastructure Agency (CISA)
• The Department of Homeland Security (DHS)
• The US Department of State
• The National Nuclear Security Administration (NNSA)
• The US Department of Energy (DOE)
• Microsoft

We expect that there will be many more breaches related to this supply chain attack discovered in the next few months. Cysiv has taken active measures to ensure its clients are protected from attackers that might attempt to exploit the SolarWinds breach, and this report summary the key information about the breach

Affected Products

The Sunburst backdoor and SuperNova web shell code was found in the SolarWinds products listed in Figure 1.

Figure 1 – Affected products

The Orion platform version 2019.4 (File version: 2019.4.5200.8890) has also been tampered with, however there is no sign of the Sunburst backdoor or SuperNova web shell in the specified version.

Sunburst Backdoor and SuperNova Web Shell

After being installed via the affected Orion platform software, the Sunburst backdoor will not communicate with its command and control (C2) servers immediately. It will only start its malicious actions after a dormant phase, which is up to two weeks in duration. The backdoor communicates with its C2 servers via hypertext transfer protocol (HTTP), and it mimics legitimate Orion platform software behaviors and network traffic to reduce suspicion. The backdoor is also equipped with anti-forensic and anti-detection techniques.

The backdoor is capable of retrieving and executing commands, including:

• Collecting system information
• Deleting, writing, transferring and execute files
• Reading, setting, and deleting registry keys/values
• Disable system services
• Computing file hash
• Rebooting the system

With these commands, the Sunburst backdoor is capable of stealing information and installing other malware on the infected host as well as supporting lateral movement in the network.

Although the Sunburst backdoor uses many advanced techniques to avoid detection, it currently determines its C2 server using a fixed domain for its domain generation algorithm (DGA), which makes it easy to detect. The generated domain is a subdomain of avsvmcloud[.]com. For example: 6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com. Therefore, a rule that matches CNAME DNS requests for any subdomain of avsvmcloud[.]com can detect the existence of the backdoor in the system.

SuperNova web shell was embedded in an Orion library named app_web_logoimagehandler.ashx.b6031896.dll, which exposes an HTTP API through the url path “/Orion/logoimagehandler.ashx”. The legitimate API only responds to queries with the url parameter “id” for a specific logo image. However, the trojanized version of the API also serves HTTP requests with four url parameters: “clazz”, “method”, “codes”, and “args”. The web shell will compile the parameters and execute the code in memory on the fly.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently revealed that the threat actor also uses other techniques in their kill chain. For example, abusing security assertion markup language (SAML) tokens for data exfiltration via authorized application programming interfaces (APIs) or stolen secret keys to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).

Mitigation

It is recommended that any company that has installed the affected SolarWinds products should upgrade the software immediately as follows:

• Orion platform version 2019.4 HF 5 should be upgraded to 2019.4 HF6 (14 Dec 2020)
• Orion platform version 2020.2, 2020.2 HF1, 2020.2 RC2, and 2020.2 RC1 should be upgraded to 2020.2.1 HF2.

The users of SolarWinds products are also advised to monitor their systems to determine if they have been breached. If a CNAME DNS request for any subdomain of avsvmcloud[.]com is observed in the network, assume the environment has been compromised and start incident response procedures immediately. 

If the following behaviors are observed in the network, assume the environment has been compromised and start incident response procedures immediately:

• CNAME DNS requests for any subdomain of avsvmcloud[.]com
• HTTP requests to the url path “/Orion/logoimagehandler.ashx” with four url parameters (in any order): “clazz”, “method”, “codes”, and “args”.

We expect that removing the threat actors from compromised systems will be challenging for organizations as there could be additional malware installed in the systems. Therefore, the organizations without the expertise to investigate and respond to the incidents should immediately seek help from cyber security companies.

Protection Provided by Cysiv

Cysiv SOC-as-a-Service provides protection from a broad range of threats:

• 24x7 monitoring provides organizations with real time alerts and quick isolation and remediation to contain a threat during the early stages of an attack to prevent a compromise, data loss or breach.
• Human-led threat hunting helps to identify suspicious activity and digital footprints that are indicative of an intrusion.
• Anti-malware that may already be deployed (or can be deployed by Cysiv) on endpoints, for users, and that can be monitored as part of the Cysiv service, will constantly monitor for abnormal activities and block any connection to suspicious URLs, IPs and domains. 
• Anti-malware that may already be deployed (or can be deployed by Cysiv) on servers and workloads, and that can be monitored as part of the Cysiv service, uses a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless malware. Additionally, it will monitor events and quickly examines what processes or events are triggering malicious activity.
• Network security appliances that may already be deployed (or can be deployed by Cysiv) and that can be monitored as part of the Cysiv service will detect malicious attachments and URLs, and are able to identify suspicious communication in over 100 different protocols over any port. These appliances can also detect remote scripts even if they’re not being downloaded at the physical endpoint.

References

• https://www.solarwinds.com/securityadvisory
• https://cyber.dhs.gov/ed/21-01/ 
• https://us-cert.cisa.gov/ncas/alerts/aa20-352a 
• https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html