Updated 9Feb: Unconfirmed Chinese exploitation of SolarWinds breach
Updated 14Jan: "SolarLeaks" (as first seen on Reddit Jan 12)
Updated 23Dec: NSA advisory on the abuse of federated Single Sign On (SSO) infrastructure and Security Assertion Markup Language (SAML) tokens
Updated 21Dec: Possible 2019 dry run and new malware dubbed SUPERNOVA detected; new analysis from IronNet threat researchers
Updated 18Dec: SUNBURST TTPs
Updated 16Dec: This post includes new observations from IronNet's SOC and threat researchers in the section below titled "What have IronNet hunters seen?"
Editor’s note: In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.
What could a security firm, the U.S. Commerce and Treasury Departments, and an IT software company possibly have in common? The answer most likely is this: a backdoor inadvertently left open, in this case via an IT monitoring platform software update by the company SolarWinds. The ongoing news is a sobering reminder of the relentlessness of nation-state cyber attack campaigns. Throw in the added widespread vulnerabilities created by supply chain backdoors, and the risk exposure suddenly escalates from a singular corporate incident to a global attack with potentially unsettling consequences.
The shift is this: adversaries are moving from tightly secured enterprises to weaker points of entry along the supply chain. In fact, Accenture Security reports that “Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches.”
What is the latest SolarWinds/SUNBURST news?
Here is our understanding of the situation:
- The FireEye, SolarWinds and government agency hacks appear to be connected.
- According to The Washington Post, the attack began with the IT vendor SolarWinds. SolarWinds CEO Kevin Thompson said that SolarWinds had been compromised via software updates that it sent to users of its Orion IT monitoring platform between March and June. (SolarWinds’ government customers include the Department of Justice; the Census Bureau; several national laboratories; and state, local, and foreign customers such as the European Parliament and Britain’s National Health Service.)
- On December 13, FireEye confirmed that the recent cyber attacks all stemmed from the compromised SolarWinds Orion software update.
- Nation-state hackers also broke into multiple federal agencies — including the U.S. Departments of Treasury and Commerce — in a campaign that appears to be linked to the recently disclosed hack of security firm FireEye. Hackers broke into the National Telecommunications and Information Administration’s (NTIA) office software, Microsoft Office 365. Staff emails at the agency had been monitored by the hackers for months prior to the attack.
- The FBI is investigating, and CISA is also involved.
- Reports are emerging that SolarWinds may have been breached earlier than the Spring 2020 timeframe that was initially reported. There may have in fact been a "dry run" of the attack in October 2019.
- Increasing sources are indicating that the actors responsible for these intrusions are abusing federated Single Sign On (SSO) infrastructure and Security Assertion Markup Language (SAML) tokens to access victim systems and services. This behavior was noted in reporting from Volexity and CISA, and the NSA issued a cybersecurity advisory detailing how to detect and mitigate such activity.
- As Microsoft and Palo Alto both note, there appears to be a separate, distinct piece of malware being tagged as SUPERNOVA affecting SolarWinds beyond SUNBURST.
- "SolarLeaks": As first seen on Reddit (January 12) in a post that since has been taken down: A message included a link to solarleaks[.]net where they claimed to be selling data that was stolen during the hack. They claim they have Cisco source code for multiple products and an alleged 'bug tracker' dump; FireEye Red Team tools, source code, binaries and documentation; Proprietary Microsoft source code; and SolarWinds product source code (including Orion) and a customer portal dump. The email address that the actors told people to contact was email@example.com. In order to protect the identity of those behind this supposed leak, the domain is registered through 'Njalla', a privacy protection service that has previously been used by Russian threat actors. In addition the website was also hosted on a Njalla VPS. It should be noted that the price they are asking for is astronomical. See below for our own analysis of this situation.
IronNet Threat Analysis Lead Peter Rydzynski takes a closer look at whether the SUNBURST technique identified commonly as a Domain Generation Algorithm (DGA) is DNS Tunneling, a subtle, but important, distinction, as "we first need to agree on terminology before we can move forward with identifying and analyzing the observable behaviors."
- The fallout of the SUNBURST attack is revealing new threats and concerns. Threat actors believed to be associated with China may have exploited SolarWinds software in the National Finance Center. In contrast to the original supply chain attack, the speculation at hand is that China possibly exploited a separate bug in the Orion software to aid in lateral movement in a network that was compromised. The details are sparse at present, and IronNet will continue to track this developing threat intelligence. There is no word on what was stolen in the breach or how many other agencies / companies also were affected by this.
- One of the troubling potential concerns, however, is that one of the suspected victims, the national payroll agency, houses what China would regard as a treasure trove of social security numbers, bank account numbers, and additional personally identifiable information, linked specifically to employees of the U.S. Department of Agriculture. On another note, this incident, if validated, could provide some clarity around the aforementioned SUPERNOVA malware web shell.
While the threat actor used several sophisticated techniques to hide command and control traffic, such as mimicking Solarwinds Orion traffic and leveraging cloud providers to masquerade as trusted geolocated environments, the DNS tunneling techniques used are able to be detected with behavioral analytics and network detection and response technology.
This attacker applied advanced techniques often attributed to nation-state threat actors:
- The compromise of the SolarWinds Orion update mechanism that was used to place implants greatly expanded the attacker’s target landscape. A seemingly legitimate software update allowed them to leverage the supply chain to distribute a backdoor software update component called a dynamic link library, or dll.
- Once inside, the threat actor leveraged multiple techniques to move laterally through computing networks undetected by using sophisticated evasion capabilities, credential reuse, multi-factor authentication bypass, and other advanced “living off the land” techniques. CISA reports it is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.
What is IronNet doing?
For IronNet customers, we immediately reviewed all customer environments for indicators related to this attack. IronNet's CyOC has taken the following actions:
- Deployed Suricata Rules to IronSensors for countermeasures released by FireEye: https://github.com/fireeye/sunburst_countermeasures.
- Executed manual Threat Defined Queries in each of our monitored customer environments (and our own networks) to ensure none of the known SUNBURST Indicators of Compromise (IoC) have been observed.
- Deployed Threat Intelligence Rules (TIR) for SUNBURST IoCs.
- Deployed Yara Signatures in our ReversingLabs malware store to identify any permutations of the identified malicious update file or the packaged DLL and reviewing results for new or novel strains of the malware.
- Evaluated artifacts associated for network related behaviors to include: SolarWinds-Core-v2019.4.5220-Hotfix5.msp; SolarWinds.Orion.Core.BusinessLayer.dll
What have IronNet hunters seen?
As of 23Dec:
- We have observed DGA/DNS Tunneling behavior as described by FireEye and discussed in the infosec community, at multiple customer sites.
- After decoding the observed sub-domain labels using decoding techniques shared by other researchers, we have observed both internal domains and what appears to be character strings that did not decode properly.
- At this time we have not observed any domain responses from the initial C2.
- The observed IP responses were compared against the published list of “kill codes,” and we then evaluated the corresponding timelines. Based on current visibility, we have observed some traffic persisting after the kill commands and our current assumption is that there is an additional infected host in the environments where this was seen.
FireEye identified an aspect of SUNBURST C2 as Domain Generation Algorithm for the subdomains of avsvmcloud[.]com, and although mostly a matter of semantics, IronNet has been referring to that behavior as DNS tunneling due to the nature of the use of the DNS query response protocol to pass C2 commands including detasking the implant.
Additionally, according to what has been published by various members of the community, the subdomain label can be decoded and appears to directly correspond with the internal domain of the implant.
IronNet has a behavioral-based detection for DNS tunneling and during the process of our incident response we did identify this behavior within our IronDome environment during the March to August timeframe.
Elite Russian adversary, assumed actor
Multiple sources have suggested that Russia is the assumed instigator of this attack. For historical context on Russia cyber threats and historical attacks, including attacks by Advanced Persistent Threat (APT) groups, you can read more here.
Why are APT attacks so difficult to detect? APT groups use tactics, techniques, and procedures (TTPs) that are at the apex of what security researcher David J. Bianco calls the threat hunting framework Pyramid of Pain. But when you can detect and respond at this level, you are operating directly on adversary behaviors, not just against their tools. So from a pure effectiveness standpoint, this level is your ideal. If you are able to respond to an adversary’s TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors. That’s not an easy task for even the most egregious of bad actors.
IronNet analysis of "SolarLeaks"
IronNet Threat Analysis Lead Peter Rydzynski has two theories about SolarLeaks.
- This could be a distraction/misdirection effort by state-sponsored actors trying to make it seem like they are just cyber criminals looking to make money. This is not very compelling due to all the other connections in their malware to known Russian state-sponsored TTPs and because they were offering only source code and not any info related to the numerous U.S. government entities that were compromised. If it was a criminal entity behind this, they would be looking to monetize all their assets; by contrast, if this were a state-sponsored actor, they would likely not want to leak that information as it would devalue the intel. This would also explain the unrealistically high asking price as they aren’t really intending to sell anything.
- This could be a totally unrelated group taking advantage of the attention this hack is getting. They could be fraudulently claiming they have this data, just hoping someone would pay them regardless.
How do you detect threats that have infiltrated your network?
Network Behavior and Response systems built on behavioral analytics can “see” these TTPs on the network. The NY Times reports that in the FireEye attack, for instance, “the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.” This onslaught of new domain creation is something that behavioral analytics can detect during this crucial network dwell time.
Stopping hackers in their tracks at the reconnaissance phase of intrusion (or as “left of boom” as possible in the MITRE ATT&CK Framework, for example) is critical. Once an adversary moves along the intrusion path, being able to map detected observables to threat techniques is also essential for better determining the best and fastest course of remediation.
These are the threats by adversaries who have managed to slip past your firewall and/or taken advantage of an insecure endpoint to get inside your network. Once inside, adversaries often lurk there to determine the best way to steal money or data, including personally identifiable information (PII) or intellectual property. They may then move laterally across networks from their entry point to find the systems or data they are targeting. The earlier the detection by assessing Indicators of Behavior (instead of just known IoCs), the lesser the risk
Organizations need to implement a security-in-depth strategy with detection capabilities geared towards detecting behavioral TTPs from the MITRE ATT&CK framework.
The role of behavioral analytics
There are techniques for detecting nation-state activity earlier using behavioral analytics and an Expert System, which can anticipate the actions of nation-state threat actors. In the case of the SolarWinds attack, IronNet analysts learned about indicators that IronNet analytics and its Expert System are designed to detect, including:
- Post compromise activity included lateral movement and data theft. Our analytics and sensors are designed and positioned to detect movement within the network, especially when large amounts of data are exfiltrated.
- SolarWinds’ Orion software framework contains a backdoor that communicates via HTTP to third party servers. IronNet’s analytics specifically focus on HTTP for domain analysis, periodic and consistent beaconing, and extreme rates.
- Multiple trojanzied updates were digitally signed from March through May 2020 and posted to the SolarWinds updates website. IronNet analytics examine certificates to detect unusual activity.
- IronDome’s threat sharing platform would have communicated correlated actionable activity between the private sector and government agencies.
Actions and recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated alert indicating that SolarWinds Orion Platform software is being actively exploited by malicious actors, and the Department of Homeland Security (DHS) has issued an emergency directive instructing U.S. federal agencies to immediately disconnect all SolarWinds Orion products.
Security researchers at FireEye have published technical details indicating that a software supply chain compromise occurred earlier in 2020 and resulted in a trojanized version of SolarWinds Orion being distributed to customers, which they have dubbed SUNBURST.
SolarWinds has additionally published a security advisory recommending customers upgrade to the latest version of Orion Platform and indicating that the company plans to release an additional hotfix later this week.
In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.