This attack is a big deal and there’s a lot of stuff to keep track of. This is my own personal effort, using open sources, social media, news media.
SolarWInds is a US company based in Austin, Texas that makes IT monitoring and management tools used by the US government and most major corporations. On December 13 2020, security alerts and advisories were issued for the SolarWinds Orion product because of the discovery of a massive supply chain compromise leveraging automated software updates to distribute sophisticated malware to all 18,000 users.
A highly skilled, highly resourced adversary, believed to be state-backed and most likely Russian, used trojanized updates via Orion to gain access to victims. The attack had all the classic hallmarks of highly targeted nation-state cyber espionage: multiple custom malware and backdoors to co-opt legitimate processes and employ obfuscation and evade detection in a long-term stealthy campaign extending back into 2019. The attackers used multiple avenues to access their targets.
Assume breach. The attackers did not leave much behind to work with, but these are high value targets with high value data. The attackers had the time and ability to move laterally through networks to identify anything worth taking, and they could leave the data intact once they got what they wanted. We don’t know the endgame. While there is no indication of data tampering, they were sure to wipe the logs and erase their footprints.
And it came to light because FireEye, the threat intelligence and defense organization, discovered they had been compromised just a short time earlier, and traced it to their SolarWinds Orion connection. FireEye has named the attacker UNC2452 because attribution isn’t a blame game and requires all the facts. For now, this what we run with.
Significant Targets / Victims:
- FireEye – security
- Microsoft – tech and security
- Crowdstrike – security
- Malwarebytes – security
- US Government: DHS, Departments of Energy, Commerce, State, Treasure, Defence, Justice
- US Military
SUNBURST – backdoor. This was discovered right away, and is the stepping stone in a multi-stage attack involving other malware. SUNBURST is a trojanized version of the digitally signed SolarWInds.Orion.Core.BusinessLayer.dll plug-in. It abuses the trust of the digital signature to spread from SolarWinds onto all those other networks where it can then receive and deploy more malware.
TEARDROP – loader malware, memory only. Second malware found. Used to deploy a customized version of Cobalt Strike BEACON. From the FireEye writeup 12/13/20, TEARDROP runs as a service, spawns a thread and reads from the “gracious_truth.jp” file. It checks for the existence of a specific file, HKU\SOFTWARE\Microsoft\CTF, then decodes its embedded payload and manually loads that into memory.
BEACON – Cobalt Strike is a commercially available tool used in penetration testing for a wide variety of attack capabilities. Remember Spiderman: with great power comes great responsibility. So, in the hands of attackers, this tools gives them a lot of advantages, especially because it’s used for legitimate purposes so it can bypass defenses. BEACON is the payload used for modeling advanced attackers. We need to know what the bad guys are doing, and this is essential. I may be biased in favour of the Red Team, I confess, but it’s because I know what they can find, and we need to secure.
SUNSPOT – loader malware. Third malware found. The discovery was reported 1/12/21 by security firm Crowdstrike in this report. Of note is that this malware is believed to have been used before SUNBURST, back in September 2019 during the initial breach of the SolarWinds network. It was installed on a build server, where developers assemble software components. SUNSPOT’s purpose was to watch for build commands in the Orion app, then replace those source code files with the malware used in SUNBURST. Surprise!
RAINDROP – loader malware. Symantec found RAINDROP (Backdoor.Raindrop), the fourth custom malware identified, and issued this report on 1/18/21. The malware shares some similarities to TEARDROP, but differs in distinct ways. FIrst, it is NOT launched by SUNBURST, and it’s not yet known how it is deployed. Only that it’s on networks where SUNBURST has been. It appears to have kicked into gear June/July 2020. There have only been 4 examples found. It uses a legitimate tool, 7ZIP, to wrap up Cobalt Strike BEACON or other malware to be used in the post-compromise stage of attack.
Data sent back via DNS request: How a Rare DGA Helped Attacker Communications Fly Under the Radar Symantec Broadcom 1/7/21
The Office 365 link: SolarWinds attack opened up 4 separate paths to a Microsoft 365 cloud breach 1/19/21 SC Media
Microsoft says it found malicious software in its systems 12/17/20 Reuters
SolarWinds: The more we learn, the worse it looks 1/4/21/ZDNet
Raindrop: New Malware Discovered in SolarWinds Investigation 1/18/21 Symantec