• cdoman1

Responding to Solarigate

Updated: Dec 15, 2020

As you are no doubt aware, on Sunday the security software provider SolarWinds announced that installers for it’s Orion monitoring platform had been backdoored by "a nation-state". Typical customers of SolarWinds are enterprise scale and security conscious. Reported organisations compromised through these attacks include various parts of the US government, as well as a number of large organisations in the private sector.

Below we have included some suggestions for those responding to these incidents or performing forensics to confirm if they may be compromised.


Reviewing the backdoored Orion installers, they match what appears to be SolarWind's normal build process. It is likely the attackers have compromised both the SolarWind source code, and their build process to deliver backdoored updates through their normal release process.

The first backdoored installers identified so far date back to October 2019, though SolarWinds themselves have only referred to backdoored installers starting in May 2020.

On Sunday 13th December 2020, SolarWinds sent an email to customers informing them of the situation:

Figure 1: Statement and email from SolarWinds

Backdoored Orion Installers

A number of backdoored installers have been identified, and are still being served from the SolarWinds website. Below is a non-exhaustive list of the installers:

Version 2019.4.5220.20161 *

https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi

( 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd )


( a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc )

* This version is listed as Suspicious by Microsoft (likely due to the presence of SolarWinds.Orion.Core.BusinessLayer.dll) but not confirmed malicious.

Version 2020.2.5220.27327

https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi

( ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 )

Contains (

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 )

Version 2020.2.5320.27438

https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi

( c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e )


( ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 )

SunBurst/Solorigate Backdoor

The file CoreInstaller.msi/ is what FireEye calls SunBurst and Microsoft calls Solorigate. SunBurst performs the typical first-stage backdoor tasks of downloading and executing files, whilst subtly evading detection.

SunBurst deploys basic Base64 encoding to hide key strings such as the command and control protocol:

Figure 2: Command and Control domains from SunBurst

And impersonates normal Orion network traffic to blend in:

Figure 3: Command and Control Traffic

A detailed analysis of SunBurst is available in the FireEye report, and we have included the de-obfuscated source-code in Appendix B to save others having to do perform the same de-obfuscation.

Later Stages of the Attack

Both Microsoft and FireEye have provided details of second stages of the attacks they have identified, including malware:

And also attacker activity such as:

Suggestions for Forensic Analysis

The Department of Homeland security advises agencies with SolarWinds installations, and the required expertise, to perform a full forensic investigation:

a. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise.

b. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.

Pay attention to Windows event logs with:

Look for the existence of the following file:

  • C:\WINDOWS\SysWOW64\netsetupsvc.dll

(**note the normal legitimate path for this file-name is within C:\WINDOWS\SYSTEM32):

Additional mitigation considerations:

  • It is strongly suggested where practical, that sensitive systems, or systems that imply a third party risk be monitored and audited regularly.

  • We suggest where possible servers should allow whitelisted internet access only. For example, if your SolarWinds server was only allowed to access the necessary IP addresses, and or IP ranges for its function. It would help prevent communication to unknown command and control infrastructure.

  • Always utlise the concept of least privileged access, and look to monitor account usage that is beyond its normal purpose or operation. For example, a service account performing an interactive logon or querying other services that have no relation to the accounts purposes.

About Cado Security

We have built the first cloud-native forensics and response platform for responding to security incidents. Join our pilot partner program today, sign up for details here.

Appendix A - Consolidated Indicators of Compromise

The file-hashes (SHA256) below relate to malicious installers we have seen and file-hashes consolidated from earlier reporting. Additional indicators of compromise are available from FireEye, Microsoft and AlienVault OTX.
















Appendix B - De-obfuscated SunBurst Source Code


Appendix C - SuperNova .NET WebShell


4,714 views0 comments

Recent Posts

See All

© 2020 Cado Security

Registered Address

Unit 2.05 12-18 Hoxton Street, Hackney, London, United Kingdom, N1 6NG

Company number 12552987

  • White Twitter Icon
  • LinkedIn
  • Amazon