Background

Let us talk a bit about how FireEye came to be the one who publicly disclosed SolarWind’s supply chain security intrusion.

 

Actors

1. Volexity ( Link )
2. Fire Eye ( Link )
3. SolarWinds ( Link )
4. Microsoft( Link )

Volexity

Public Disclosure:- 2020-December-14

Link

On December 14th, 2020, Volexity publicly availed a web post.

In the web post, Volexity recounted work it was doing on behalf of a think tank.

Consulting Engagement

First Engagement

Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years.

Second Engagement

The attacker compromised the organization’s Microsoft Exchange Control panel.

Though the Thinktank secured access using Duo’s multi-factor authentication (MFA), still, the attack breached the security using a novel technique.

Once the MFA requirement was breached, the actor was able to access the mailbox of a user via the organization’s Outlook Web Application ( OWA ).

Third Engagement

In June and July 2020, application updates were presented to the thinktank.

The updates originated from SolarWinds Orion software.

The thinktank IT staff acquiesced to the updates.

Unfortunately, the updates availed backdoors to the actor.

Attack Goal

The primary goal of the thread was to obtain emails of specific individuals at the think tank.

The targeted individuals were:-

1. Select Executives
2. Policy Experts
3. IT Staff

Cozy Bears?

Volexity is able to tie the attacks against the think tank to FireEye’s public disclosure via correlative data:-

1. The overlap between command-and-control (C2) domains
2. The backdoored servers were those running the same third-party application; in this case SolarWinds Orion.

Blog Posts

1. Volexity Threat Research
   • Responding to the SolarWinds Breach: Detect, Prevent, and Remediate the Dark Halo Supply Chain Attack
     • Authored:- Volexity Threat Research
       Date:- 2020-December-16
       Link
   • Dark Halo Leverages SolarWinds Compromise to Breach Organizations
     • Authored:- Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
       Date:- 2020-December-14
       Link

 

FireEye

Principals

1. Kevin Mandia ( CEO )
2. Charles Carmakal
   • Corporate:- Mandiant, FireEye’s incident response arm
   • Position:- Senior vice president  ( SVP) and chief technology officer ( CTO )

Engagement

Discovery

Early in December 2020, FireEye discovered it had been hacked.

Charles Carmakal:-

1. We initially detected the incident because we saw a suspicious authentication to our VPN solution.
2. The attacker was able to enroll a device into our multi-factor authentication solution
3. The enrollment generated an alert which we then followed upon

FireEye tracked the source to SolarWind’s Orion Software.

Research

Looked through 50, 000 lines of source code and discovered a backdoor.

Response

Contacted SolarWinds and FBI, Federal Bureau of Investigation.

 

Subject of Attack

FireEye discovered that sensitive security forensic tools had been stolen.

The tools were used to discover vulnerabilities on FireEye’s clients’ computer network.

 

Attack Circumference

Confirmed

1. Government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East
2. United States
   • Federal Government
     • Department of Commerce
     • Department of Homeland Security
     • Department of the Treasury

Anticipated

1. We anticipate there are additional victims in other countries and verticals.

 

Attack Sophistication

1. Charles Carmakal
   • Carmakal said the hackers took advanced steps to conceal their actions:-
     • Their level of operational security is genuinely exceptional.
     • The hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.
2. Kevin Mandia
   • The hackers behind the SolarWinds attack went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection
   • The adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools, according to Mandia.
   • The malware inserted into SolarWinds Orion masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity.
   • The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
   • Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection
   • The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.
   • Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access
   • Once legitimate remote access was achieved, the hackers routinely removed their tools, including removing backdoors.

Stealth Mode

1. The hackers were able to breach U.S. government entities by first attacking the SolarWinds IT provider.
2. By compromising the software used by government entities and corporations to monitor their network, hackers were able to gain a foothold into their network and dig deeper all while appearing as legitimate traffic.

 

Impact

1. ( – )
   • Theft of security and forensic tools
   • Embarrassing for a cybersecurity team
2. (+)
   • Crucial mistakes for the hackers (?)
   • Charles Carmakal had this to say…
     • If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer
     • One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.

Detection Toolset

Links

1. FireEye / sunburst_countermeasures
   • GitHub
     Link

Components

FireEye / sunburst_countermeasures

Targets the following AntiVirus and Detection Tools

1. Snort
   • Metadata
     • Web Site
       Link
2. Yara
   • Vendors
     • VirusTotal
       • virustotal.github.io
         Link
3. IOC ( Indicators of Compromise )
   • Vendors
     • Palo Alto Networks
4. ClamAV

Blog Posts

1. FireEye
   • FireEye Stories
     • Global Intrusion Campaign Leverages Software Supply Chain Compromise
       • Authored:- Kevin Mandia
         Date:- 2020-December-13
         Link

Summary

Politico

Politico:- How suspected Russian hackers outed their massive cyberattack
Authored:- Natasha Bertrand, Andrew Desiderio
Link

The hackers essentially pushed their luck after gaining access to FireEye. They attempted to burrow deeper into the firm by registering one of their devices with the company’s network, which in theory would let them rummage around more without being detected, people familiar with the matter said.

After discovering the intrusion, FireEye announced earlier this month that sophisticated hackers with “world-class capabilities” had breached its systems and stole the tools it uses to simulate cyberattacks against its clients. That triggered a broader search for signs of tampering at other companies and government agencies, given how widely SolarWinds’ software is used.

 

SolarWinds

Origination of Attack

The software builds for Orion versions 2019.4 HF 5 through 2020.2.1 that were released between March 2020 and June 2020 contained a trojanized component.

The attackers managed to modify an Orion platform plug-in called SolarWinds.Orion.Core.BusinessLayer.dll that is distributed as part of Orion platform updates.

The trojanized component is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.

Compromised Versions

1. Orion Platform 2019.4 HF5, version 2019.4.5200.9083
2. Orion Platform 2020.2 RC1, version 2020.2.100.12219
3. Orion Platform 2020.2 RC2, version 2020.2.5200.12394
4. Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

 

Remediation

Orion Platform Upgrade

1. 2020-12-16 Tuesday
   • Orion Platform Version 2020.2.1 HF 2
     • Additional security enhancements
     • Advisory
       Link

 

Microsoft

Outline

1. WhiteListed IP Address Ranges
2. SinkHole

WhiteListed IP Address Ranges

Via Source Code Analysis, FireEye discovered that the perpetrators “whitelisted” about a dozen IP Address ranges.

Once the code realizes that it is running on a Host that falls within the listed range, it will stop executing.

Probably, this allowed the infection to remain undetected in monitored laboratory environments.

SinkHole

FireEye shared the IP Address Range with Microsoft and GoDaddy.

GoDaddy’s role here is that of an Internet Domain Registrant.

GoDaddy created DNS records to have the entire avsvmcloud[.]com sub-domain point at IP Addresses owned by Microsoft.

Keep in mind, that having those IP Addresses point to the aforementioned Microsoft IP Range essentially NOPs the attack.

 

Operational Capability

CSO Online

Blog Post:- SolarWinds attack explained: And why it was so hard to detect

Author:- Lucian Constantin
Link

Incubation

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” the FireEye analysts said. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

Light Footprint

The attackers kept their malware footprint very low, preferring to steal and use credentials to perform lateral movement through the network, and establish legitimate remote access. The backdoor was used to deliver a lightweight malware dropper that has never been seen before and which FireEye has dubbed TEARDROP. This dropper loads directly in memory and does not leave traces on the disk.

Researchers believe it was used to deploy a customized version of the Cobalt Strike BEACON payload. Cobalt Strike is a commercial penetration testing framework and post-exploitation agent designed for red teams that has also been adopted and used by hackers and sophisticated cybercriminal groups.

Detection Avoidance

To avoid detection, attackers used temporary file replacement techniques to remotely execute their tools. This means they modified a legitimate utility on the targeted system with their malicious one, executed it, and then replaced it back with the legitimate one. A similar technique involved the temporary modification of system scheduled tasks by updating a legitimate task to execute a malicious tool and then reverting the task back to its original configuration.

Detection Pathway

“Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time,” the FireEye researchers said. “Additionally, defenders can monitor existing scheduled tasks for temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be monitored to watch for legitimate Windows tasks executing new or unknown binaries.”

 

Must Reads

1. United States
   • CyberSecurity & Infrastructure Security Agency ( CISA )
     • Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
       • Alert (AA20-352A)
         Link

References

1. Volexity
   • Dark Halo Leverages SolarWinds Compromise to Breach Organizations
     by Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
     Link
2. KerbsOnSecurity
   • Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’
     Link
3. CSO Online
   • SolarWinds attack explained: And why it was so hard to detect
     Authored:- Lucian Constantin
     Link
4. DUO.COM
   • STOPPING SOLARWINDS BACKDOOR WITH A KILLSWITCH
     Authored:- Fahmida Y. Rashid
     Link
5. Politico
   • How suspected Russian hackers outed their massive cyberattack
     Authored:- Natasha Bertrand, Andrew Desiderio
     Link
6. Politico
   • How suspected Russian hackers outed their massive cyberattack
     Authored:- Natasha Bertrand, Andrew Desiderio
     Link
7. Bloomberg
   • FireEye Discovered SolarWinds Breach While Probing Own Hack
     Authored:- William Turton and Kartikay Mehrotra
     Link
8.  CRN
   • Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
     Link
9. BBC
   • SolarWinds: Why the Sunburst hack is so serious
     Link
10. recode
    • How hackers, probably Russian, infiltrated the federal government
      Link
11. thecyberwire
    • SolarWinds breach updates. Microsoft sinkholes Sunburst’s C&C domain. Facebook takes down inauthentic networks targeting Africa.
      Link