Posts

Key Takeaways from the SolarWinds Compromise

FireEye has recently released a detailed report on a global supply chain cyber-espionage campaign that utilizes compromised Solarwinds Orion software updates to distribute a backdoor codenamed “SUNBURST” by FireEye.

This particular campaign was announced by FireEye to be associated with a breach reported earlier on the 8th of December 2020, where it was revealed that attackers have gained access to FireEye’s environment, attempted to obtain information relating to certain US government customers and stole some of their Red Team tools.

FireEye isn’t the only organization using SolarWinds Orion software, with the malicious updates being pushed to 18000 other customers of the SolarWinds Orion platform, including Microsoft, the US Treasury and Commerce Departments, the Department of Energy and the National Nuclear Security Administration Of course, not all organizations affected were actively targeted and breached by the threat group, with majority of the targets located in the United States and the rest in seven different countries; Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the UAE.

At this time, it is too early to say that we have a full understanding of the scope of the SolarWinds compromise. The number of organizations impacted is based on very limited visibility with an expectation that we understand all the compromise routes and adversary command and control capabilities. We do not know that to be true and more time is needed before we can say that we have a complete idea of the scale and scope of the compromise. Everything we know at this time relates to cyber-espionage and US national security institutions and there are no indications that most customers of SolarWinds Orion are actively breached by the threat group.

There are also no indications that the SolarWinds compromise was the only way in which the adversary could have gotten to their targets. The Cybersecurity and Infrastructure Security Agency has evidence that there are initial access vectors other than the SolarWinds Orion platform. As mentioned previously, we recommend following the remediation measures recommended by CISA. Even if your organizations aren’t active targets of this threat group, there are no reasons to leave a backdoor into your network lying around if you are using the affected versions of SolarWinds Orion. https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Some Interesting Details

Proficio has issued several advisories regarding the SolarWinds compromise and will be issuing more advisories as we learn more about the compromise. We are also in the midst of conducting an ongoing threat hunting campaign. Here are some of the interesting details that will shed light on the lessons we can draw from this campaign thus far.

  1. SolarWinds hackers did a test-run of the spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version did not contain a backdoor, but indicates that the hackers were dwelling in SolarWinds network in 2019, if not earlier.Code with the word password in red stolen credentials Solarwinds
  2. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system so as to receive the employee’s unique access codes. FireEye’s security system sent an alert to the employee and to the company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee, prompting FireEye to investigate. FireEye uncovered the SolarWinds breach into their network while trying to determine how the hackers obtained the employee’s credentials to register their device.
  3. The SUNBURST backdoor is only an initial persistent entry point used to deploy other tools to take root and subtly compromise the network configurations to allow future accesses. Remediating the SolarWinds breach is only the first step to be taken.The SUNBURST backdoor is known to distinguish between malleable detectors (services modified and tracked in the config file) and dealbreakers (running processes that will make SUNBURST abort immediately). Malleable detectors include several AV/EDR agents, while dealbreakers include several generic and specialized forensic tools, one of those being Sysmon. The distinction between the buckets of target system processes/drivers for evasion purposes is pretty important. Upon encountering one of the 8 malleable detection product families, SUNBURST takes a backup of SCM ACL for the service, modifies the ACL to take ownership and disables the service. Before going dormant, SUNBURST restores the original ACL and settings. This means that:
    1. Dealbreaker drivers installed prevents execution of SUNBURST completely.
    2. Dealbreaker processes at RUNTIME prevents Job Execution at that time.
    3. The 8 AV/EDR products would not have been very effective at preventing actions taken by SUNBURST unless anti-tampering settings are cranked up.

Lessons to Take Away

The SolarWinds compromise is a good case study of the impact, scale and scope of a supply chain compromise by a serious and capable adversary. It is important for us to draw the right lessons away from chasing buzzwords and what is popular and trendy.

  1. Most organizations should not shift all their focus to supply chain attacks. Most organizations do not have sufficient visibility, network segmentation, administrative tiering, insider threat programs, sufficient detection and response, backups and asset management capabilities and those pose far more risks in terms of actual impact on most organizations. Supply chain compromises are incredibly serious, but they are far from being the only way organizations get hit by serious cyber-attacks.
  2. Prevention is increasingly a no-win game. Well-orchestrated supply chain compromises are almost impossible to prevent. However, where prevention can fail, detection and response can succeed and did succeed in this case. FireEye was able to detect and respond correctly to the actions of a capable nation-state adversary. Organizations should look to beef up their detection and response capabilities either internally or with a managed detection and response partner like Proficio. Contact Proficio
  3. The success of detection and response actions depends significantly on basic visibility and monitoring. DNS logs play a key role in identifying if a breach has taken place, and other activity indicators include file-write events to the ‘SolarWinds Orion DLL config file’, as well as changes to services in registry while using anyone of the 8 AV/EDR families tracked by the SUNBURST backdoor.
    1. In fact, the adversary does not even attempt to infect your network if it looked like you were watching the machine with something as simple and as effective as Sysmon. This means that the adversary knows that such dealbreakers work very effectively against them.
    2. That is not to say that FireEye and other organizations do not have monitoring in place, but it simply may not have been tools in the list of SUNBURST dealbreakers.
  1. Make use of defence-in-depth principles when crafting a detection strategy. When it comes to visibility, logging and detection and response capabilities. EDR and NDR solutions provide the ability to detect and rapidly contain threats, and should be complemented with solutions focusing on complete visibility and logging like Zeek and Sysmon. Reach out to Proficio to find out more about how we can help you create a more complete detection strategy.
  2. Make use of multi-factor authentication where possible and ensure that you have a robust asset management program. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system, and that requires both robust asset management and the use of multi-factor authentication.
  3. Enhance actual detection and response bandwidth and capability by reducing noise and excessive alerting. Reach out to Proficio to understand how we can help you enhance your existing capabilities by helping you to focus on what matters most.

Attacker: Actor – TEMP.Periscope / Leviathan

The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.

Technical analysis of TTPs used by TEMP.Periscope – https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Info on spear phishing campaigns detected attributed to Leviathan. – https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

Technical information on the BLACKCOFFEE tool. – https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html

Proficio Threat Intelligence Recommendations:

  • If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
  • Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.