SolarWinds Attack - Part I - From Infrastructure to Endpoint

By

Background

deepwatch has been closely tracking the ongoing developments around sophisticated malicious actors using advanced attack techniques to compromise organizations first reported by the security firm FireEye. A previously published timeline from deepwatch for it’s customers can be found here. deepwatch does not use any SolarWinds products in it’s SecOps platform. 

In Part I of a III part series, deepwatch will examine the details of the events and what we know so far, as well as provide some insights and thoughts around what this means for the cybersecurity industry. Part II will map the attacker’s timeline to the MITRE ATT&CK Framework, identifying potential gaps in visibility and providing recommendations to enterprises for data sources to closely monitor. Part III will examine the path forward for enterprises and organizations, and how a holistic approach to data aggregation and visibility is the only way to detect sophisticated attacks like this one. 

FireEye has dubbed this specific campaign UNC2452 and the malware associated with the campaign SUNBURST. Although the public release of information is over a week old, events are still unfolding and details continue to trickle out from Microsoft, FireEye, and others. Here’s what we know so far, and some thoughts on the subject from the deepwatch Security Research Team.

Initial Thoughts 

This is a significant event in the history of cyber attacks for several reasons:

  • Trusted Sources: The attacker successfully leveraged a sophisticated supply-chain attack to compromise organizations. This is significant because most of the safeguards in place to detect malicious code are set to “trust” software vendors like SolarWinds if their upgrades are signed and hashed correctly.
  • Mainstream Media Coverage: Usually a cyber event or incident is a story for the news media for one or two 24-hour cycles. This story has been trending and on the top of the headlines for over a week.
  • Publicly Available Details: Usually, the public doesn’t get to see this much detail so soon about an actors’ campaign life-cycle. Often specific details such as indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) of a sophisticated actor come out months and even years after the fact.
  • Infrastructure, Support, and Process: The attacking group has as much expertise in IT operations, development, and infrastructure as most enterprises as evidenced by the complex nature of their infrastructure, which spanned both Amazon Web Services and Azure cloud systems. For example, examination of Passive DNS data indicates the domain IoCs associated with this attack shifted around different hosts, IP addresses and service providers through the spring and summer.
  • Operational Security and Understanding Defense Tactics: The attacker leveraged several techniques to throw off even seasoned security practitioners and threat hunters. These techniques included leveraging VPNs for geographical adjacency to the target as well as differentiation of “remote” accounts used to access systems vs. “local” accounts used for lateral movement inside an organization. In addition, the same actor is responsible for a parallel attack on Duo’s 2-factor Authentication software. This indicates a well funded project with a deep understanding of organizational defense tactics.
  • Scope and Impact: It is estimated that 18,000+ organizations that downloaded the trojaned software from SolarWinds were potentially impacted by this event. It is reasonable to assume that enterprises and government organizations will be dealing with the fallout from this for several months, and those who do not have the staff or resources to adequately respond to this type of event may languish in a state of unknown certainty indefinitely.
  • Industry and Government Response: Although there’s some speculation in the media, specific details are unknown about how the attacker gained access to the development environment of SolarWinds, the fact that they were able to compromise a legitimate software platform’s build process is noteworthy. Not only must the attacker be intimately knowledgeable in the CI/CD process, they’re capable when it comes to certificate and code signing as evidenced by the Microsoft and FireEye deep dives linked below.

Attack Techniques – What we know so far

Attackers used trojaned versions of the SolarWinds Orion, an IT management and monitoring platform to gain initial access to target organizations. From there, the malicious actors moved laterally through the victim network to identify and exfiltrate business sensitive data or information that could be used in future attacks on other organizations.

According to Solarwinds, the malware was deployed as legitimate updates that occurred from sometime in 2019 through June of 2020 to the Orion product.  While not all customers who got the malware have seen it used for attack methods, the leverage that this attack has on broader attacks on networks includes critical systems and sensitive organizations.  This elevates the attack vector and its ripple effects into a large subset of the economy and government agencies alike, as SolarWinds reports to have over 18,000 customers potentially affected. 

The deepwatch Research team is focused on the sophistication of the attack, as the scale and complexity of this attack vs others seen in the last number of years, is unparalleled. At this time, Microsoft states that 80% of the attack was focused on and directed toward victimizing US-based companies.

The malware hides as a malicious windows library (DLL) under the guise of the legitimate Orion Improvement Program (OIP) software, and leverages the OIP protocol to move throughout the victim network undetected. The malware behavior is a traditional Command and Control (C&C) program designed to allow the attacker to perform tasks (Jobs) such as transferring and executing files, profiling of systems, rebooting the infected machine, and disabling system services.

Attackers cement their access through the generation of administrative level privileges in the victim environment. Some access has been extended using a SAML authentication token signing certificate compromise. SAML is an authentication protocol widely used by cloud access providers like Okta and Microsoft. This advanced technique shows the sophistication of the actor in its ability to embed itself into the victim network for long-term access, akin to the classic attacker techniques of a full Active Directory compromise.

deepwatch Detection and Response 

Threat Intelligence

deepwatch is actively using FireEye’s Indicator of Compromise (IoC) released on December 8th, 2020 that are related to UNC2452 in github to detect this activity via threat alerting. deepwatch also has leveraged it’s automated search platform to proactively identify customers who have potentially been compromised.

Detection

Using geographical data to detect anomalous logins will be unsuccessful as the attacker(s) are leveraging Virtual Private Networks (VPN) services to surface attacks from the victim’s country. 

The deepwatch Security Content Management (SCM) and Detection Engineering teams are working on specific searches to detect and alert this activity, including SAML token and certificate attacks as evidenced by the attacking group’s activity. 

However, given the attacker is using valid credentials, deepwatch’s anomalous user activity detection could catch compromised accounts. deepwatch also has beaconing detection capabilities that will surface potential C&C traffic displayed by the SUNBURST (TEARDROP and BEACON (Cobalt Strike) malware are also referenced by FireEye) malware. 

Endpoint Detection and Response

As of this writing, all deepwatch supported Endpoint products have signatures to detect the associated malware and IoCs. 

In addition to the IOCs and malware detections, it is recommended that organizations utilizing these products implement additional security measures such as increasing enforcement levels on impacted systems to prevent suspicious command line or application configurations, implement automated response(s) to isolate systems that have been identified as being attacked, and utilize the EDR tools threat hunting capabilities to identify impacted systems or newly discovered IOCs that may not be implemented into the tools currently. 

Patching Vulnerable Systems

SolarWinds released an advisory to all customers to upgrade to the latest Orion Platform version, with hotfixes being released as late as December 23, 2020 (https://www.solarwinds.com/securityadvisory).

Qualys, Tenable, and Rapid7 have released detections for SolarWinds Orion Platforms to assist in identifying impacted and vulnerable systems through agents or network based scanning activities. 

The deepwatch Vulnerability Management team can assist customers in identifying vulnerable versions and upgrading to the non-vulnerable version of the SolarWinds Orion platform. 

Conclusion: The only way to detect and respond to attacks and events like this for most enterprises is to enact a holistic approach to security data aggregation and analysis. 

As this is an ongoing event, deepwatch will update this blog with any additional information as it becomes available prior to the release of Part II in this series.

Supporting Information

Subscribe to the deepwatch Insider Blog