BluSapphire | Intelligent Cyber Defense

Blog

SolarWinds Breach - Incident Response

 
Cozy Bear / APT 29

Cozy Bear / APT 29

IF YOU ARE A SOLARWINDS CUSTOMER, SAFE TO ASSUME COMPROMISE AND START YOUR INCIDENT RESPONSE PROCESS IMMEDIATELY.

BluSapphire Customers and non-BluSapphire customers can email us and schedule free consultation and Incident Response Guidance. There will be no charge unless you engage our / our partner’s services.

It has been a hectic weekend (start of week) for Solarwinds customers. News broke out that SolarWinds Orion platform’s update was compromised and a malicious update got pushed out between March and June 2020 as confirmed by Solarwinds CEO. Malicious nation state attackers a.k.a Cozy Bear / APT29 attributed to Russia Hacking group compromised an update “.dll” file that got pushed out as an update to all Solarwinds customers. At this point it is clear that over 400 of the Fortune 500 companies, all ten of top ten US telecom, all five branches of US military and all top five of the US accounting firms are Solarwinds Customers. It is safe to assume all of them may be compromised in some way.

US- CERT has released an emergency advisory. Solarwinds has also released its own advisory urging its customers to upgrade to platform version 2020.2.1 HF1 as soon as possible.

Former US CISA head Chris Krebs suggested that the attack was possibly underway for months, but is relatively easy to contain. “Odds are you are not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this.” he advised. Early this morning, FireEye shared an analysis of the affected “.dll”. Below are the artifacts you should be aware of:

  1. the affected .dll is Solarwinds.Orion.Core.BusinessLayer.dll.

  2. the file is digitally signed - signifying a supply chain attack, wherein a backdoor that establishes HTTP to 3rd party servers was implemented, and signed.

  3. the file remains dormant for two weeks.

  4. post dormancy, once it activates, it retrieves and executes commands called “Jobs”. These Jobs include the usual C&C capabilities like transfer files, execute files, profile a system, reboot the system and last but not the least, disable services.

  5. it hides its traffic as Orion Improvement Program Protocol - blending its network activity as Orion activity (hiding in plain sight).

  6. it stores data in plug-in folders - again blending its activity as any other Orion Plug-in activity.

  7. it also disables anti-virus/EDR tools using an obfuscated blocklist.

  8. the malware goes dormant for another two weeks before attempting to resolve a subdomain of avsvmcloud[.]com generated using a Domain Generation Algorithm (DGA). This usually is a CNAME to the suspected C2 domain. The traffic to this domain is designed to mimic normal Solarwinds API communications.

I’m a Solarwinds customer. How do i resolve this?

First, activate your incident response plan immediately. Solarwinds has released advisory urging its customers to upgrade to platform version 2020.2.1 HF1 as soon as possible. If upgrade is not possible you may follow these configuration guidelines to mitigate the attack. A hotfix to resolve this is also expected by Dec 15th, 2020 as per Solarwinds advisory page.

  • As a quick first step, limit all internet access to/from your solarwinds infrastructure.

  • The malware is designed to stop all activity if the DNS resolution of the domains (listed below) result in private IP address space viz.,

    • 10.0.0.0/8

    • 172.16.0.0/12

    • 192.168.0.0/16

    • 224.0.0.0/3

  • Use DNS sinkhole for the domains listed below, on your local infrastructure.

  • Restrict the scope of the accounts (service/administrator) used by SolarWinds.

  • Change passwords used on the Solarwinds infrastructure, not just SolarWinds service accounts etc., but any accounts used on the Solarwinds Infrastructure. eg: if you logged in as admin or equivalent account onto the solarwinds infrastructure in recent times, you should consider changing that password immediately.

How do I know if I’m affected?

If you are a SolarWinds customer, and using SolarWinds Orion Platform builds 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020 then you are running a compromised version.

BluSapphire Customers

BluSapphire customers can quickly perform a live hunt on their infrastructure using the indicators provided by US-CERT. You may alternatively pick “Sunburst” OR “Sunburst_All” from the APT Hunt list and run the hunt on an OU or the entire domain(s).

Unlike the popular security platforms, BluSapphire performs an active live hunt on each and every system on your network without using an agent, thereby enabling you to find artifacts like this on the fly. Traditional and next SIEMs will be unable to do this, as they can only hunt on the data logged. Live hunting is the only way you would find these indicators.

Alternatively, BluSapphire customer(s), who use BluSapphire sensors, may also look for the URL(s) or IP addresses, which can also be part of the hunt. If you are already forwarding the logs to our Log Collectors, the corresponding data will also be mined as part of the hunt. There is no need to configure/query anything differently.

SolarWinds breach indicators (Sunburst_All)

Domain(s)

6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com

7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com

gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com

ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com

k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com

mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com

deftsecurity[.]com

freescanonline[.]com

thedoccloud[.]com

websitetheme[.]com

highdatabase[.]com

incomeupdate[.]com

databasegalore[.]com

panhardware[.]com

zupertech[.]com

IP(s)

13.59.205.66

54.193.127.66

54.215.192.52

34.203.203.23

139.99.115.204

5.252.177.25

5.252.177.21

204.188.205.176

51.89.125.18 1

67.114.213.199

File(s)

CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp -- Installer

Solarwinds Worldwide, LLC application/x-x509-server-cert -- Legitimate Code Signing Certificate used

SolarWinds.Orion.Core.BusinessLayer.dll --- Backdoor

SolarWinds.Orion.Core.BusinessLayer.dll --- Backdoor

SolarWinds.Orion.Core.BusinessLayer.dll --- Backdoor

OrionImprovementBusinessLayer.2.cs --- Decompiled and corrected source code for SUNBURST

app_web_logoimagehandler.ashx.b6031896.dll --- Webshell

SHA256

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

SHA1

1b476f58ca366b54f34d714ffce3fd73cc30db1a 47d92d49e6f7f296260da1af355f941eb25360c4 2f1a5a7411d015d01aaee4535835400191645023 d130bd75645c2433f88ac03e73395fba172ef676 76640508b1e7759e548771a5359eaed353bf1eec c2c30b3a287d82f88753c85cfb11ec9eb1466bad 75af292f34789a1c782ea36c7127bf6106f595e8

MD5

02af7cec58b9a5da1c542b5a32151ba1 08e35543d6110ed11fdf558bb093d401 2c4a910a1299cdae2a4e55988a2f102e 846e27a652a5e1bfbd0ddd38a16dc865 b91ce2fa41029f6955bff20079468448 4f2eb62fa529c0283b28d05ddd311fae 56ceb6d0011d87b6e4d7023d7ef85676

 
Kiran Vangaveti
Get in Touch