It entered through the backdoor, set its sights on FireEye and knocked the winds out of 18,000 Orion followers.

In a blog post released 13 Dec 2020, cybersecurity firm FireEye disclosed that threat actors had compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SolarWinds.Orion.Core.BusinessLayer.dll.

The trojanized file delivered a malware called SUNBURST through a backdoor as part of a digitally-signed Windows Installer Patch. Use of a Compromised Software Supply Chain (T1195.002) as an Initial Access technique is particularly critical as it can go undetected for a long period. FireEye has since released countermeasures that can identify the SUNBURST malware.

FireEye was itself the victim of a breach earlier and was probing the incident when it discovered that one of its software providers’ code had a malicious backdoor. According to its spokesperson commenting on the SolarWinds attack, the former has continued to take action to protect organizations from the supply chain attack after the disclosure, provided information on related malicious activity; and coordinated with partners to disable some malware related to this particular attack.

Providing a stopgap for now

As part of the action taken, FireEye has collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. Said the spokesperson: “SUNBURST is the malware that was distributed through SolarWinds Orion software. As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.” 

Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. 

“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST.”

What did SUNBURST achieve?

The SUNBURST backdoor is a supply-chain attack involving a trojanized update to the popular SolarWinds Orion IT monitoring and management suite. The backdoor affects servers running the Orion software, which are often less defended than end-user laptops or critical applications. 

Commented one expert, Jesse Rothstein, CTO and co-founder, ExtraHop: “This vulnerability has a wide potential for damage due to the large installed base of SolarWinds Orion software. The attack appears to have been underway for some time. ExtraHop analysis of DNS registration information indicates that the SUNBURST attack campaign can be traced back to February 26th, 2020. This appears to be when the Command and Control (C&C) domain name avsvmcloud[.]com was first registered, and the site went active on April 15, 2020.”

Rothstein commented that nation-state actors have the means of stealing information through traditional espionage. They could bribe or extort company employees or even place operatives within the organization. “The reason we are seeing an uptick in sophisticated cyberattacks is geopolitical. That is, for better or worse, it’s accepted that nation-states can operate in the cybertheater with relative impunity. Until this changes, companies should expect more of these operations.”

Continuous network data analysis needed

Given the resources and sophistication of nation-state threat actors, which are implicated in this incident (namely, Russian ATP29 state-sponsored attackers), traditional defenses are ineffective. Organizations should prioritize network detection, because the network is as close to ground truth as you can get, is difficult to evade, and impossible to turn off: According to Rothstein, “sophisticated analysis of network data offers the best opportunity to detect, investigate, and respond to these threats before a breach can occur.”

His firm has also identified some new information that is  the largest collection of suspicious IP addresses on this attack to date. This IP address info can be used by any organization to access if they are impacted by this attack. 

  • The list contains 550 suspect addresses.
  • While this is not the first analysis of the SUNBURST attack, it is at the time of publication the most comprehensive analysis available. It shows that the attackers rapidly rotated their command and control (C&C) architecture to leverage up to 17 unique C&C IP addresses per day. 
  • This level of change speaks directly of the sophistication of the attackers, and their determination to avoid detection and attribution.
  • The attack campaign analysis provides a broader understanding of the sophistication involved in the attack, as well as the lengths to which the attacker went to obfuscate their location and prevent attribution.
  • The research indicates that the attackers focused on using distributed public cloud environments from major cloud service providers as the primary infrastructure for this attack. 

We thank Jesse for his insights and information sharing.