Responding to Solarigate
Updated: Dec 15, 2020
As you are no doubt aware, on Sunday the security software provider SolarWinds announced that installers for it’s Orion monitoring platform had been backdoored by "a nation-state". Typical customers of SolarWinds are enterprise scale and security conscious. Reported organisations compromised through these attacks include various parts of the US government, as well as a number of large organisations in the private sector.
Below we have included some suggestions for those responding to these incidents or performing forensics to confirm if they may be compromised.
Reviewing the backdoored Orion installers, they match what appears to be SolarWind's normal build process. It is likely the attackers have compromised both the SolarWind source code, and their build process to deliver backdoored updates through their normal release process.
On Sunday 13th December 2020, SolarWinds sent an email to customers informing them of the situation:
Figure 1: Statement and email from SolarWinds
Backdoored Orion Installers
A number of backdoored installers have been identified, and are still being served from the SolarWinds website. Below is a non-exhaustive list of the installers:
Version 2019.4.5220.20161 *
( 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd )
( a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc )
* This version is listed as Suspicious by Microsoft (likely due to the presence of SolarWinds.Orion.Core.BusinessLayer.dll) but not confirmed malicious.
( ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 )
Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll (
( c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e )
( ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 )
The file CoreInstaller.msi/OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll is what FireEye calls SunBurst and Microsoft calls Solorigate. SunBurst performs the typical first-stage backdoor tasks of downloading and executing files, whilst subtly evading detection.
SunBurst deploys basic Base64 encoding to hide key strings such as the command and control protocol:
Figure 2: Command and Control domains from SunBurst
And impersonates normal Orion network traffic to blend in:
Figure 3: Command and Control Traffic
A detailed analysis of SunBurst is available in the FireEye report, and we have included the de-obfuscated source-code in Appendix B to save others having to do perform the same de-obfuscation.
Later Stages of the Attack
Both Microsoft and FireEye have provided details of second stages of the attacks they have identified, including malware:
SuperNova - A .NET Web shell
CosmicGale - A Powershell credential theft script
TearDrop - A memory resident dropper
Cobalt Strike - A commercially available backdoor, observed dropped by TearDrop
And also attacker activity such as:
Suggestions for Forensic Analysis
The Department of Homeland security advises agencies with SolarWinds installations, and the required expertise, to perform a full forensic investigation:
a. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise.
b. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
Pay attention to Windows event logs with:
Microsoft provides guidance on how to enable increased logging of AD FS (Active Directory Federation Services).
Look for the existence of the following file:
(**note the normal legitimate path for this file-name is within C:\WINDOWS\SYSTEM32):
Additional mitigation considerations:
It is strongly suggested where practical, that sensitive systems, or systems that imply a third party risk be monitored and audited regularly.
We suggest where possible servers should allow whitelisted internet access only. For example, if your SolarWinds server was only allowed to access the necessary IP addresses, and or IP ranges for its function. It would help prevent communication to unknown command and control infrastructure.
Always utlise the concept of least privileged access, and look to monitor account usage that is beyond its normal purpose or operation. For example, a service account performing an interactive logon or querying other services that have no relation to the accounts purposes.
About Cado Security
We have built the first cloud-native forensics and response platform for responding to security incidents. Join our pilot partner program today, sign up for details here.
Appendix A - Consolidated Indicators of Compromise
The file-hashes (SHA256) below relate to malicious installers we have seen and file-hashes consolidated from earlier reporting. Additional indicators of compromise are available from FireEye, Microsoft and AlienVault OTX.
Appendix B - De-obfuscated SunBurst Source Code
Appendix C - SuperNova .NET WebShell