FireEye

On December 8th, cybersecurity firm FireEye reported a breach of their network. According to FireEye, hackers gained access to their environment and were able to obtain many of their Red Team assessment tools. These tools are used to test customer environments by imitating hacker activities. FireEye was quick to confirm that the data did not include any zero-day exploits. In response to the breach, FireEye released a GitHub repository containing countermeasures to their breached Red Team tools. FireEye did not release details of the exploitation, just that it was highly sophisticated and likely a state-sponsored adversary.

Five days after the initial announcement, FireEye provided an update. On December 13th, 2020, FireEye posted a blog on their site providing additional information from the results of the investigation. The December 13th blog post identified more specifics of the breach. The analysis provided by FireEye identified the source of the breach to be the Orion network monitoring product from SolarWinds. According to FireEye, the breach was part of an extensive attack dating back to the Spring of 2020. On that same day, FireEye released a threat research article providing additional technical information regarding the attack. According to that article, the attack leveraged a supply chain attack to distribute malware dubbed SUNBURST.

SUNBURST

In the days since the initial revelation, many new details have come to light regarding the malware SUNBURST. SUNBURST leveraged a supply chain attack technique to implement a malicious version of an update for the SolarWinds Orion business software. The attacks targeted Orion software versions 2019.4 HF 5 through 2020.2.1—the versions released between March 2020 and June 2020. The SolarWinds update turned trojan allowed the attackers to not only access the target’s network but also provided the attacker with a backdoor, allowing them to move laterally once inside the network resulting in the theft of data. The specific file that was compromised is a SolarWinds DLL file, called SolarWinds.Orion.Core.BusinessLayer.dll. This DLL appears to be a legitimate component of the Orion Software framework and is a digitally signed Orion software component. The DLL contains a backdoor that communicates to third party servers via HTTP. Once the malicious file downloads to the target machine, it lies inactive for up to two weeks. When the malware executes, it disguises itself as a legitimate network protocol known as Orion Improvement Program or OIP, allowing the traffic to blend in with legitimate SolarWinds traffic.

There is not only one

Research by FireEye indicated that it was not just one update that was compromised but several updates from March 2020 to May 2020. Regardless of which update was installed, the sequence of events followed the same basic pattern; the update is installed, lies in wait for up to two weeks, and then, once active, attempts to resolve to a subdomain avsvmcloud[.]com. The Command and Control (C2) traffic was designed to mimic typical SolarWinds API traffic.

Now what?

SUNBURST has the IT community buzzing, and rightfully so. SolarWinds is one of the most widely used IT infrastructure monitoring programs in the world. It monitors network performance, servers and applications, and configuration management. It offers a lot of visibility into large complex computer networks remotely. So, when companies are told to shut off their monitoring solutions, it's important they have a backup plan for visibility. The full impact of this hack will not be known for some time. In the meantime, there are some steps that you can take to protect your business.

• The Department of Homeland Security (DHS) and Microsoft have suggested a shutdown of your SolarWinds environment until you can investigate and confirm the safety of your SolarWinds instance(s). If you cannot or do not wish to shut down your SolarWinds instance, isolate it completely from your sensitive data networks and internet egress from endpoints.
• Block all traffic to known C2 domain (avsvmcloud[.]com.
• Collect logs and monitor OIP traffic.
• Ensure your SolarWinds instance is using service accounts with the least level of privilege necessary for SolarWinds to function.
• Put monitoring in place for Domain Administrator credentials.
• Reset passwords for Domain Administrator Accounts.
• Eliminate all unused Administrator Accounts.
• Update all Antimalware software with the newest signatures.
• It’s important to note that a hotfix was released on 12/15/2020 as part of the remediation efforts by Solarwinds. This hotfix is 2020.2.1 HF2.

In Conclusion

This hack highlights a broader subject in the information technology ecosphere. There is a tendency to move back and forth between centralized and decentralized systems for a variety of reasons, such as cost, availability, and even COVID. Many companies choose to focus entire infrastructures around a toolset because of bulk pricing and the cost of hiring professionals to manage one toolset. Companies might want to rethink this strategy and start looking at how a failure with a critical vendor affects the redundancy of the management of systems. Perhaps now is the time to add a little bit of diversity to software and service selection as well as plan for a major security incident or critical outage with one of these big vendors. As mentioned earlier, the data from this attack is still coming out, but the best thing to do is keep to your security best practices as you move forward and plan for this type of event in the future.

[1] https://www.solarwinds.com/securityadvisory

[2] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[3] https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

[4] https://www.nextgov.com/cybersecurity/2020/12/cisa-orders-federal-agencies-turn-solarwinds-products/170737/