Lessons Learned From SolarWinds: Defensive Strategy Against Novel Malware

In December, SolarWinds, a leading provider of IT monitoring and management solutions for enterprises, disclosed that it had fallen prey to a widespread supply chain attack trojanizing its Orion business software updates.

FireEye & CrowdStrike, who have been supporting SolarWinds in its investigation, reported that the attackers deployed a novel malicious tool, SUNSPOT (which hasn’t been attributed to any known adversary), into the build environment of Orion’s platform to inject a backdoor known as SUNBURST. As many as 17,000 customers may have installed the trojanized software updates. However, the attackers were only interested in a few hundreds of these customers who received secondary payloads, such as the post-exploitation tool named Teardrop. The initial list of victims not only included the U.S government but other consulting and technology firms in North America, Europe, Asia, and the Middle East, as shown in the chart below:

Trends Observed in the SolarWinds Hack

Now a few weeks past the first discovery of the attack, it’s critical to step back and analyze the phases and ramifications of such a highly evasive campaign.

Although FireEye uncovered the scope of this sophisticated supply chain attack in December, SolarWinds revealed that the malware SUNSPOT may have been inserted into its customers' update packages between March 2020 and June 2020. Since then, the highly skilled attackers have successfully managed to evade the standard forensic and antivirus methods used by SolarWinds, other private companies, and the federal government. The campaign that’s currently ongoing has the following timeline, connecting the dots between FireEye’s discovery of the attack and SolarWinds’ original hack:

Russian cybercriminals are suspected of using SolarWinds Orion software updates to install the SUNBURST backdoor on enterprise users’ IT systems and networks, causing a serious attack of unprecedented proportions. FireEye’s findings revealed that the backdoor communicates with third-party servers via HTTP, after an initial dormant period following deployment. Once the malware activates, it is able to gather data as it traverses compromised networks as legitimate lateral traffic without getting detected, and it even “stores reconnaissance results within legitimate plug-in configuration files.”

Threat Vectors and Detection Opportunities

Hackers behind this widespread campaign use a variety of threat vectors to masquerade their footprints while they move laterally. Hence, if you are using the above mentioned SolarWinds Software, the below section will help you find some potential opportunities for detection:

• TEARDROP and BEACON Malware: In at least one of the SUNBURST samples that have been recovered, the attackers deployed a previously unseen memory-only dropper (dubbed TEARDROP) to deploy Cobalt Strike BEACON.
• Attacker Hostnames Match Victim Environment: The threat actors matched the hostnames of their command-and-control infrastructure with the victim's environment’s hostname to blend into the environment and avoid suspicion.
• Lateral Movement Using Different Credentials: Once the attackers gained access to the network, they moved laterally using credentials that are different from those used for remote access.
• Temporary File Replacement and Temporary Task Modification: Using a temporary file replacement technique, the attackers manipulated scheduled tasks to execute their tools and then returned the scheduled task to its original configuration. Once legitimate remote access was achieved, they also removed any trace of Backdoors.

General Detection and Protection Measures

As the campaign is currently ongoing, these are the precautionary measures recommended by SolarWinds to stay ahead of evolving attack vectors:

• SolarWinds has asked customers using the product Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to ensure the security of your environment. This version is currently available here.
• SolarWinds has asked customers using the product Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which is available for download here.
• The hotfix release 2020.2.1 HF 2 is now available in the SolarWinds Customer Portal at https://customerportal.solarwinds.com/. It is recommended to update to the 2020.2.1 HF 2, as the 2020.2.1 HF 2 release replaces the compromised component and provides several additional security enhancements.
• Please follow the guidelines available here for securing your Orion Platform instance if an immediate upgrade hasn’t been performed.
• In case the SolarWinds infrastructure isn’t isolated, block domain and subdomain of avsvmcloud[.]com at perimeter level and restrict the scope of connectivity to endpoints (Tier 0/Crown Jewel Assets) from SolarWinds servers. 

Proactive Protection and Mitigation Recommendations

According to the latest "2020 State of the Software Supply Chain" report released by Sonatype, the so-called "next-generation" supply chain attacks have surged by 430% in the past year. As the adversaries are getting craftier and imposing an unprecedented level of risks, the world should look to specialized coverage indispensable to cybersecurity protection against evolving cyber-attacks.

FireEye’s analysis of SUNBURST revealed extensive use of lateral movement to propagate and infect other systems. Further, the lack of proactive process-based controls allowed further attacks on infected systems. As new threat information continues to emerge, companies should undertake the following mitigation strategies to defend against further risks from this and other sophisticated cyber attacks:

• Ring-fence any third-party servers and internal critical applications to prevent unauthorized communications between systems and reduce propagation via lateral movement.
• Ensure your endpoints are protected to prevent hackers from launching legitimate applications and processes from within malicious code.
• Implement continuous monitoring security practices that look for attack patterns exploiting trusted processes and prevent further connections and beacons.

Applying security hygiene and east-west segmentation along with endpoint and server hardening can be effective techniques to reign in spiraling complex segments that promote unseen lateral movement. Such attacks depend on network complexity and lack of east-west controls to move laterally from system to system. Micro-segmentation that automatically prevents communication between systems that do not otherwise communicate significantly reduces the propagation possible via lateral movement.

Also published on: https://colortokens.com/wp-content/uploads/SolarWinds_Threat_Brief.pdf