Quantify Cyber Risk Now

header ads

SolarWinds Hack Explained | Lucideus

On Dec 12, FireEye reported that the Solaris Orion IT monitoring suite was attacked using trojanized updates. This attack was a highly skilled manual supply chain attack on the SolarWinds, allowing hackers to compromise the networks of public and private organizations. SolarWinds believes that 18,000 customers downloaded the trojanized update, which counts plenty of large companies among its clients. The malware was present between March and June 2020.

One of the abilities of this malware is that it provided the access to the attackers to begin monitoring internal emails at the departments. The attackers simply had to wait until their targets downloaded and ran the fake software update.

The update file includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component which was the compromised file in the SolarWinds supply chain attack. 

How The Attack Works: Solorigate/ SUNBURST Malware
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds-signed plugin component (the loophole in the supply chain and trust) of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. 

After an initial dormant period of up to two weeks, it executes commands, called “Jobs”, that includes the ability to transfer and execute files, profile the system, and disable system services. 

The backdoor’s behaviour and network protocol blend in with legitimate SolarWinds activity, masquerading as the Orion Improvement Program (OIP) protocol. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers while sitting idle on the infected system and waiting for the timer to detonate.

Once the malicious code has been executed, the malicious DLL then establishes a connection to avsvmcloud[.]com to download additional payloads, move laterally, and exfiltrate data. This makes it even more difficult for security researchers to identify malicious payloads.

Using this level of access, the attacker can steal credentials and increase privileges. Once they have the access to highly privileged accounts, the attacker can then achieve their actions on objectives in any number of ways.

Microsoft, FireEye, and GoDaddy took control over the main domain avsvmcloud[.]com, which was used by the hackers to communicate with the compromised systems. They reconfigured it to create a killswitch that would prevent SUNBURST malware from continuing to operate on victims' networks.

Detection and Mitigation:
The attackers modified a legitimate utility on the targeted system with their malicious code, executed it, and then replaced it with the legitimate one. This is known as the temporary file replacement technique to remotely execute them.

If this DLL has been found on your system, you should immediately upgrade your SolarWinds deployment to the recent hotfix version.

Based on the hashed provided by FireEye, the hashes to look for are:
  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
  • eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
  • c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
  • ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
  • d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

SolarWinds released a workaround, asking customers to upgrade to Orion Platform version 2020.2.1 HF 1, as soon as possible, to ensure their environment is safe. An additional hotfix was released that replaced the compromised component and provided several additional security enhancements. 

The detection of C:\Windows\SysWOW64\netsetupsvc.dll should be considered suspicious and reported, as the netsetupsvc.dll file is associated with the Microsoft Network Setup Service, which is a legitimate service and DLL when loaded from System32 the payload appears to masquerade as legitimate software to evade detection.

How SAFE could have helped in preventing this hack?

SAFE is the Security Assessment Framework for Enterprise. Having SAFE in place could have given visibility of the necessary security controls which could have helped in the chances of preventing attacks like SolarWinds from happening. The research suggests that attackers modified a legitimate utility on the targeted system with their malicious code, executed it, and then replaced it with the legitimate one. This is known as the temporary file replacement technique to remotely execute them. 

The advantages of having SAFE could have helped reduce the chances of this hack/breach from happening:
  • SAFE is a security assessment tool which provides scoring based on the cybersecurity posture of the organization.

  • In this case, the most important aspect of the attack is the ability of the malware to be able to mask itself in the modified copies of legitimate utility which was not even detected by antivirus. The way to identify it is to monitor the software signatures provided by the publishers. It should be optimal to maintain and create a possible control where these certificates are validated by the organization in constant intervals of auditing.

  • The system should be configured to enable the logging and monitoring services so that abnormal activities can be identified by monitoring the configuration controls present in the SAFE framework.

Post a comment