By now you have likely heard about the SolarWinds compromise and supply chain attack. We wanted to get a notice out to you as quickly as possible so you can be up-to-date, understand how this could affect you, and know what you should do now.
We learned today (December 14, 2020) that the SolarWinds product was used to breach multiple high-profile organizations, one of which being FireEye. It is also believed this kill-chain was utilized in recent breaches of the United States Treasury and Commerce.
It is also believed the Whitehouse, the Pentagon, NASA, and more than 425 of the US Fortune 500 could be impacted by this attack. The potential origination of the attack could stem from a compromise of the National Telecommunications and Information Administrations Microsoft Office 360 platform.
12/22/2020 Sunburst Updates
We continue to learn more surrounding this compromise daily. Here is the trimmed down information you need to be aware of to ensure you are properly responding.
TEARDROP
All the news is focused on Sunburst, but I urge you to familiarize yourself with the post-compromise activity, and the event known as TEARDROP. FireEye has updated their threat research, and I urge you to read and understand the TTP’s discussed.
Teardrop is a memory-only dropper that runs as a service. A fake .jpg titled “gracious_truth.jpg” has been reported as part of the attack. This .jpg decodes an embedded payload that executes a custom Cobalt Strike beacon. Please understand – THIS IS A MEMORY-ONLY DROPPER.
What does that mean? It does not touch disks, doesn’t live on your system after a reboot, and if you shut down your Orion boxes (rather than disconnecting the network), the artifacts are likely gone.
Attack Detection
Some good news though—there are a few possible detection methods.
First, it has been reported that (believe it or not) Windows Defender may have logged an event for execution of a non-Microsoft-signed-binary. Check those logs if you’re running Defender. If you’re not, check your end-point logs for similar activity. Also, Windows logs all service creation events, so check your system logs and verify all services started and logged are valid!
I will forewarn—I hope you are backing those logs up to a SIEM, because our attackers are cleaning up their tracks well, and a part of that is through event log manipulation/deletion.
Next, it has been observed that after this C2 is established, the attackers use this presence to enumerate your infrastructure and harvest credentials, tokens, and certificates that can be used to establish alternate methods of connection. They will also study your perimeter to identify any legitimate services used for remote connectivity. Attackers then use the previously harvested credential sets to re-establish network access through your VPN, remote access tools, cloud environments (O365, Azure, AWS, G-Suite), etc. in the third stage of this attack.
Then, they burn down their C2 infrastructure, clean up any artifacts, delete relevant event logs, and sneak out the backdoor hoping you never know they were there.
The NSA has published some great information to detail how they are abusing these Cloud Resource authentication mechanisms, I suggest you give it a read:
The Pattern
In simple terms, the attackers follow this pattern:
SUNBURST beacons > TEARDROP is deployed > Creds/Tokens/Certs are harvested > Attackers burn down their C2 and cover tracks > Re-establish persistence through legit channels (VPN, Cloud, Citrix, and other legitimate remote access services)
We’ve also recently learned that the primary domain used in this attack (avsvmcloud[.]com) was actually shutdown in late October. We know that domain has now been turned into a kill switch, but this is relevant in understanding our likely attack time-window.
What does all this mean?
First, there is a chance the attacker has already been in your network, harvested what they needed to connect elsewhere, and left. They may be actively using these newly acquired credentials, or they may be sitting back waiting for the opportune moment to re-establish connectivity and stage another attack.
Second, give special focus to all your ingress points. Watch your VPN like a hawk, verify all connections to your cloud environment, tighten up controls on those Citrix (or similar) environments, SHUT DOWN your public RDP servers (I mean, c’mon!). And on top of that, make sure you have properly deployed MFA to ALL public access points for your infrastructure.
Third, and speaking of MFA, if you are using Duo and OWA, you likely want to investigate those services. These attackers are known to harvest the Duo integration secret and bypass Duo MFA.
Fourth—default deny, anyone? If default deny (ingress AND egress) had been applied to all these Orion servers, we’d have nothing to worry about right now. This is a great excuse to get working on default deny for all of your critical infrastructure.
There is absolutely NO reason your systems need untethered access to the internet, so shut it down.
Fifth, continue to be diligent. Watch all of these things and pay attention to your SIEM, EDR, NGFW, and whatever else is in your security stack for anomalies. Investigate accordingly. Search your logs for residue the attackers may have left behind (you have a 6 months log-stash, right?) to determine your initial level of impact.
Other: If you have been affected, plan an organization-wide account reset. We know it sucks, but you need to do this anyway. I’m sure you’ve got some service accounts using passwords from five years ago, so now you have the ammunition needed to get these things reset. And while you are in there, audit all your users and groups. Ensure the only users with admin rights are the ones you expect, and make sure no newly created users have been deployed without proper approval/knowledge. Just practice good hygiene, and keep a focused eye on your environment.
I’m certain we will learn more about their techniques as this continues to unfold and we’ll update you again soon.
In the meantime, happy hunting! Please contact FRSecure if we can help in anyway.
12/16/2020 Updates
- Corelight – Zeek has published a new IoC list that contains lots of great data compiled from community input—including FireEye, Volexity, John Bambenek, and SANS. We would suggest reviewing your environment for any signs of presence.
- A security research team known as RedDrip was able to decode part of the exploit and have identified a large number of organizations that could have been impacted. Check this list to see if any of your domains are present!
- With the use of this knowledge, Microsoft has worked to turn the original domain we reported (avsvmcloud[.]com) into a killswitch – disabling the active beaconing activity. More details here:
Initial Releases (12/14/2020)
- You can review the SolarWinds Security Advisory here:
- You can review the FireEye publicly release report here:
Initial Threat Intel and Suggestions
The attackers were able to implant malicious code into the SolarWinds Orion product that deploys a backdoor used for malicious activity. At this time, known affected versions of SolarWinds Orion are 2019.4 – 2020.2.1 HF1. The backdoor allows attackers to transfer files, execute files/commands, profile the system, reboot the system, and shutdown system services (such as EDR and antivirus). The attackers are using this backdoor to move laterally and deploy further persistence mechanisms within the impacted network. They are known to utilize living off the land and fileless malware techniques to minimize their malware footprint and lower the likelihood of identification. They are also known to deploy a Cobalt Strike beacon as part of the kill-chain.
What should you do?
If You Are Utilizing Any of the Affected SolarWinds Product Versions in Your Environment:
- Disconnect all SolarWinds Orion systems from the network immediately.
- Reset all domain-level power user and admin account passwords immediately.
- Look for the presence of “C:\\Windows\Syswow64\\netsetupsvc.dll” – this would indicate an active breach.
- Review your environment for active connections to avsvmcloud.com – this would indicate an active breach.
- SolarWinds has stated a patch will be released on 12/15/2020 – make a plan to apply this patch as soon as it’s available.
Review your environment to determine if you have could been affected. Below is a hash list of all known compromised versions of SolarWinds Orion (via Sans Internet Storm Center).
Block All of These Hashes Immediately:
- Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
Sha1: 76640508b1e7759e548771a5359eaed353bf1eec
File Size: 1011032 bytes
File Version: 2019.4.5200.9083
Date first seen: March 2020 - Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
File Size: 1028072 bytes
File Version: 2020.2.100.12219
Date first seen: March 2020 - Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
Sha1: e257236206e99f5a5c62035c9c59c57206728b28
File Size: 1026024 bytes
File Version: 2020.2.100.11831
Date first seen: March 2020 - Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
File Size: 1026024 bytes
File Version: not available
Date first seen: March 2020 - Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
File Size: 1029096 bytes
File Version: 2020.4.100.478
Date first seen: April 2020 - Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
Sha1: 2f1a5a7411d015d01aaee4535835400191645023
File Size: 1028072 bytes
File Version: 2020.2.5200.12394
Date first seen: April 2020 - Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
Sha1: d130bd75645c2433f88ac03e73395fba172ef676
File Size: 1028072 bytes
File Version: 2020.2.5300.12432
Date first seen: May 2020 - Connections to avsvmcloud.com domain from within your environment.
Where to Learn More About the SolarWinds Compromise
- SANS will be broadcasting an emergency webcast today (December 14, 2020) at 4:00pm CST to cover the details of the SolarWinds supply chain attack. We recommend you tune in to find out more.
- CISA/Department of Homeland Security Emergency Directive 21-01:
- Also potentially affected:
As always, FRSecure is here to help. Whether you suspect you’ve been compromised as part of this attack or are simply hoping to shore your defenses before this becomes a larger concern, please do not hesitate to reach out to our incident response team.