Over the weekend, major news broke about a global supply chain attack campaign by a nation-state that targeted government, consulting, tech, telecom and other entities in North America, Europe, Asia and the Middle East. The campaign may have started as early as Spring 2020 and is ongoing.
Most notable targets include the U.S. Treasury Dept., Dept. of Homeland Security, and the Dept. of Commerce’s National Telecommunications and Information Administration (NTIA), the agency responsible for creating internet and telecommunications policy.
How Did It Happen?
FireEye has a very detailed technical write up that explains their findings in depth, but here’s a brief summary:
SolarWinds, a provider of IT monitoring and management software, was exploited by the attackers. They gained access through malicious updates delivered by SolarWinds’ Orion software. Attackers used a number of techniques, including:
- Using a backdoor to communicate to third-party servers
- Hiding its network traffic as an Orion protocol
- Storing reconnaissance information within legitimate plugin config files
- Hiding malicious traffic to command and control (C2) domains as normal SolarWinds API communications
- Gaining access to networks with compromised credentials
- Moving laterally within environment using many different credentials
According to Reuters, the attackers gained access to the NTIA’s staff email system, Microsoft’s Office 365. They monitored agency emails for several months. Microsoft has also provided a customer advisory with information on indicators of compromise and recommended defenses to protect against and monitor anomalous logins for Azure Active Directory.
Who’s Affected?
Any organization using Orion versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, are affected by the malicious updates. FireEye has named this malware SUNBURST, while Microsoft dubbed it Solorigate, as reported by ZDNet.
How to Mitigate
SolarWinds recommends organizations upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible (available in their customer portal).
An additional hotfix release will be available Tuesday, Dec. 15. They recommend customers update to 2020.2.1 HF 2 as soon as it’s available, since it will both replace the compromised component and provide additional security enhancements, according to their security advisory.
Who Performed the Attack?
The intrusion campaign, suspected by some to be APT29/COZYBEAR, shows several characteristics of an Advanced Persistent Threat, or the like, including state-sponsorship. Let’s step through a few of the indicators:
- Strategic Targeting – It takes a considerable resource-commitment to stealthily compromise both an organization’s network and, more impressively, the global software update system of its core product. Embedding malicious code within their standard releases means the attacker likely reverse-engineered the legitimate code in order to subtly blend in its own malware while maintaining application functionality. Typically, that would entail a development team in addition to a network intruder. Pursuing a supply chain attack against SolarWinds meant global access to agencies and corporations, which meets the definition of strategic targeting.
- Sophisticated Command and Control – Yet another sign of sophistication was the attacker’s choice to co-opt the product’s own proprietary HTTP protocol variant for C2 purposes. Here again, defensive evasion was clearly at the forefront of the attacker’s mind, which is a classic example of sophistication. Deconstructing the network protocol would be necessary first before the malware could make use of it for emulation purposes and incorporate steganography. The latter two qualities typically entails a development team directly supporting the intrusion campaign.
- Advanced Tradecraft – The threat actor went to the time, trouble, and expense of setting up C2 infrastructure in-country to help obfuscate the malware’s C2 channels. Many firewalls are configured for geo-blocking per policy as a means of risk reduction, making this extra step by the threat actor necessary. If an organizer’s user base or business needs are exclusively in-country, this can be an effective control. While the aforementioned steps don’t require technical sophistication, the extra precaution could be interpreted as advanced computer network exploitation tradecraft. It’s yet another indication of how well-planned the entire intrusion campaign appears to have been in contrast to a script kiddie or the like. The attacker designed the entire campaign (supply chain targeting, lightweight backdoor malware, light footprint post-compromise behavior, disciplined operational tempo, and co-opted C2 traffic) with operational security in mind, likely to allow sufficient time for Actions on Objectives.
Detection Opportunities
Ideally, SolarWinds customers should configure their firewalls to only allow outbound SolarWinds device traffic to the vendor’s update servers, or, at worst, an explicit netblock. Doing so likely would’ve prevented the threat actor from gaining downstream device access to SolarWinds’ customers via the update known as Jobs. Also, customers should consider adopting an endpoint detection and response (EDR) solution, such as Sysmon, for better continuous operational visibility into DNS behavior.
Learn more in How to Enable Sysmon for Windows Logging and Security.
Security Recommendations
FireEye’s blog post provides immediate mitigation techniques to help organizations address the SolarWinds software risks, summarized below:
- Isolate SolarWinds servers and ensure they’re contained until an investigation is conducted – this includes blocking all Internet access from SolarWinds servers
- Change passwords for accounts with access to SolarWinds servers and infrastructure
If you’re using SolarWinds for managed networking infrastructure, review your network device configurations for unauthorized modifications
- If SolarWinds infrastructure isn’t isolated, consider limiting the scope of SolarWinds server connectivity to endpoints; limiting the scope of accounts with local admin privileges on SolarWinds servers, and blocking internet access from servers or other endpoints with SolarWinds software