An advanced threat actor has compromised the SolarWinds Orion software platform, a unified IT monitoring solution that will often have access to an organisation’s most sensitive secrets. Public reporting has revealed details of the threat actor having used compromising network management software as part of a supply chain attack against multiple high-profile victims. The compromise inserted a malicious “backdoor,” known as “SUNBURST”, into one of the libraries of this application that would give the threat actor a foothold in the affected system. Any servers with the vulnerable software installed should be isolated and investigated for evidence of compromise and the hotfix to the SolarWinds Orion Platform installed which will update the product to a newer version.
Disclaimer: This is a developing situation and as such some information within this post may be updated to reflect new and developing understanding of the threat actor’s campaign.
Supply chain attack against multiple high-profile victims
Public reporting has revealed details of a global campaign by a highly capable threat actor—currently tracked as “UNC2452”—compromising widely used network management software as part of a supply chain attack against multiple high-profile victims. The software in question is the SolarWinds Orion Platform and the compromise inserted a malicious “backdoor,” known as “SUNBURST”, in to one of the libraries of this application that would give the threat actor a foothold on the affected system.
SolarWinds’ 8-K SEC filing indicates that it believes the malicious code was inserted as part of the build process, and the source code was not directly affected. The update would appear to be legitimate to the victims, as it was installed as part of an official update and signed by a legitimate SolarWinds certificate.
Current reporting indicates that the malicious updates started being delivered to SolarWinds customers in March 2020 and continued until June 2020. Microsoft analysis indicates there are non-malicious anomalies in some historic updates that may be evidence of threat actor having access to the build process dating back to at least October 2019.
The presence of the malicious update does not indicate active exploitation
In the SEC filing, SolarWinds indicates that more than 17,000 organizations may have received an update containing the malicious code. However, the presence of the malicious update by itself does not indicate active exploitation of an organization by the threat actor. The nature of the supply chain compromise means that the threat actor would have had no control over which SolarWinds customers downloaded the update; therefore, the number of actively exploited organizations is likely to be less than the total who received the malicious update.
The first round of actively exploited victims was reported to notably include several US government organizations as well as the US cybersecurity company FireEye. Microsoft has since reported that they have seen active exploitation of more than 40 organizations related to this campaign across 8 countries. This includes the United States, Canada, Mexico, Israel, United Arab Emirates, Belgium, Spain and the United Kingdom.
To date, the organizations who have been reported as actively compromised as a result of this supply chain compromise appear to be focused on organizations with governmental operations or collaborations. These types of organizations would expect to attract attention from threat actors such as UNC2452, which exhibit a high degree of sophistication and resources in their operations. . There will be wider targets of opportunity who were exploited as a result of this supply chain compromise, but it is unlikely they were directly targeted at the start of this operation.
From ‘backdoor’ to ‘hands on keyboard’ activity
Once installed, the backdoor reportedly remains dormant for up to two weeks prior to performing a number of “checks” to avoid execution in the presence of security tooling or in un-desired locations, such as the SolarWinds network. Some of the checks will result in the backdoor remaining dormant until they pass, whilst others will result in an automated attempt to dry disable security tooling before then re-performing the checks to see if this was successful.
If all the checks pass, then the backdoor will attempt to communicate with a unique command and control (C2) server that combines a hash of information from the host with three other static components assembled from the backdoor’s code. The C2 channel enables the threat actor to issue a number of commands to further exploit the foothold on the victim network.
Public reporting indicates that the activity after the foothold is on “hands on keyboard” activity that varies from victim to victim. As part of the initial activity the threat actor is reported as leveraging a custom memory only dropper named as “TEARDROP”. This previously unseen malware is reported to persist as a service and being used to load a Cobalt Strike Beacon in at least one intrusion, though it is possible it could be used to load other malicious code.
Gaining highly privileged access
After these initial steps the threat actor is reported as leveraging more well-known techniques such as PowerShell and native utilities to escalate privileges and laterally move across a victim’s network. Despite being more well-known, the threat actor is noted as obfuscating commands and attempting to blend into specific legitimate activity.
Notably, the threat actor is reported as compromising key authentication mechanisms in order to gain highly privileged access. The abuse of SAML tokens plays a key part of the reported activity and at this time is reported to be achieved through the compromise of organization’s SAML token signing certificates. CISA alert AA20-352A5 indicates that the abuse of SAML tokens appears to be common in intrusions associated with this threat actor beyond those directly associated with SolarWinds.
The threat actor has been observed using the access gained through SAML to access key resources in cloud and online services of the victims. This includes the access of user files and emails. Microsoft have shared an excellent resource on hunting for this and the wider threat actor activity from this campaign.
Key objectives
The main objectives of the threat actor are reported to be the establishment of long-term persistent access to the victim and the theft of sensitive data. The technical details of the long-term persistence is well covered in the Microsoft blog where they note the abuse of federation trusts and OAuth Applications or Service Principals.
Reporting by key stakeholders investigating these intrusions stresses the advanced capability of the threat actor, and their considerations for operational security that enabled them to blend in with legitimate functionality. Therefore, organizations with the affected software installed should take steps proportionate to this capability to investigate, contain and remediate this threat.
An evolving investigation
It is important to note that the understanding in the public sphere has continued to be updated as the multiple investigations have progressed. One major update since the initial publication is the clarification of the “SUPERNOVA” and “COSMICGALE” cluster of activity not being directly related to main SolarWinds supply chain compromise. This activity is reported to be related to the exploitation of CVE-2019-8917 and is being tracked as distinct threat actors by both Microsoft and FireEye. Detection of this malicious activity remains important, but it should not be assumed to be linked to the wider SolarWinds cluster of activity.
What your organization should do about the SolarWinds hack
The advanced capability of the threat actor makes it possible for them to blend their activities in with legitimate business functionality. That’s why it’s crucial that organizations with the affected software installed take steps to investigate, contain and remediate this threat.
Any servers with the vulnerable software installed should be isolated and investigated for evidence of compromise. After the investigation, organization should prioritize installing the hotfix to the SolarWinds Orion Platform, which will update the product to version “2020.2.1 HF 2”.
SolarWinds reports that the hotfix will remove the compromised elements added by the threat actor and includes extra security enhancements to the product. This action should mitigate the risk of active exploitation through the backdoor, but it would not fully mitigate any active compromise beyond the backdoor.
More must be done
These attacks are generally being interpreted as part of a cyber espionage campaign, but they’re significant to organizations around the globe. Similar approaches are being used for aggressive network access acquisition by highly capable actors across critical industries.
This is part of a ‘hybrid’ approach to power projection and warfare that now could reach into corporate networks everywhere. Equally the attacks have a destabilizing effect. They undermine trust in the technology and security companies we rely on to enable an increasingly digital economy.
But there’s hope that backlash to the SolarWinds hacks could have a positive effect. There has been a collective realization among the international community that more must be done and there is an increased determination to collaborate, across international boundaries and between governments and private companies.