Need to Report an Incident? Call +1 (877) 707-7997

Guidance on the SolarWinds Orion Compromise       

SunBurst Backdoor and Malware Campaign

Golang Worm
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

SunBurst Backdoor Overview

This report is about the recently disclosed SunBurst backdoor and the related malware campaign. The malware campaign has been attributed to APT29, a GRU (Main Intelligence Directorate) Russian military cyber unit. The malware is distributed through an advanced supply chain attack designed to compromise both government and non-government entities via SolarWinds Orion, a widely used system monitoring software.

Tactics, Techniques and Procedures

The compromise starts with a hotfix software update to the  SolarWinds Orion platform and network monitoring software called SolarWinds-Core-v2019.4.5220-Hotfix5.msp which was distributed from the vendor’s website. This update is signed by the software company using a older certificate from Symantec provided by DigiCert.

The file SolarWinds-Core-v2019.4.5220-Hotfix5.msp contains a malicious DLL file called SolarWinds.Orion.Core.BusinessLayer.dll that gets loaded by the legitimate process SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.

After the hotfix update is installed legitimately by an organization administrator, the malware lays dormant only activating if the attackers deem the environment to be of sufficient value.

The second stage payload begins when the malicious DLL queries for a hardcoded domain that provides the location of where to download the next file. When the appropriate command & control server is found, it downloads a backdoor called Teardrop that runs through a series of registry key and file header checks before extracting CobaltStrike. CobaltStrike then connects to the next command & control server which may vary depending on which image file (.jpg) the header gets pulled from.

Once the attacker installs CobaltStrike, it then downloads a new DLL file called resources.dll. This executes WMI (Windows Management Instrumentation) to query lsass.exe for usable credentials to dump, much like Mimikatz. The bad actor can then query Active Directory using a tool called Adfind to save specific results.

It is important to note that the bad actor has created localized C2 infrastructure mimicking the naming conventions found in the target’s environment to reduce suspicion.

Business Unit Impact

  • May lead to the compromise of a critical piece of your monitoring infrastructure which provides a foothold for a nation state level threat actor
  • Could result in the collection of sensitive system configuration information and account credentials allowing for lateral movement opportunities
  • Can lead to the loss of sensitive data about organization including copyrighted information, trade secrets, manufacturing processes, and more
  • Has the potential for deeply rooted persistence in the environment providing for the opportunity to deploy sophisticated attacks

Recommendations

  • It is highly encouraged that you implement isolation measures to ensure your SolarWinds environment is unable to have egress connections to the Internet until further review
  • Consider using the IOC list linked below to search your environment for any potential indicators
  • Review any excessive file modifications over SMB particularly if they follow a delete-create-execute-delete-create pattern in a short amount of time
  • Consider updating your SolarWinds environment to Orion Platform version 2020.2.1 HF 2.

Sources

Supporting Documentation

MITRE Mapping(s):

  • https://attack.mitre.org/techniques/T1012/
  • https://attack.mitre.org/techniques/T1027/
  • https://attack.mitre.org/techniques/T1057/
  • https://attack.mitre.org/techniques/T1070/004/
  • https://attack.mitre.org/techniques/T1071/001/
  • https://attack.mitre.org/techniques/T1071/004/
  • https://attack.mitre.org/techniques/T1083/
  • https://attack.mitre.org/techniques/T1105/
  • https://attack.mitre.org/techniques/T1132/001/
  • https://attack.mitre.org/techniques/T1195/002/
  • https://attack.mitre.org/techniques/T1518/
  • https://attack.mitre.org/techniques/T1518/001/
  • https://attack.mitre.org/techniques/T1543/003/
  • https://attack.mitre.org/techniques/T1553/002/
  • https://attack.mitre.org/techniques/T1568/002/
  • https://attack.mitre.org/techniques/T1569/002/
  • https://attack.mitre.org/techniques/T1584/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates