The next level of Stealth

Multiple SolarWinds Orion software updates, released between March and June 2020, have been found to contain backdoor code that enables the attackers to conduct surveillance and execute arbitrary commands on affected systems. While this type of attack on the software supply chain is by no means novel, what is different this time is the level of stealth the attackers used to remain undetected for as long as possible. The attackers blended in with the affected code base, mimicking the software developer’s coding style and naming standards. This was consistently demonstrated through many functions they added to turn Orion software into a backdoor for any organization that uses it. Post compromise activity following this supply chain compromise has included lateral movement and data theft.

Key details related to this Incident:

• It is a global attack campaign that started in March 2020 and is ongoing.
• The attack campaign has the potential to affect thousands of public and private organizations.
• The attack started with a software supply chain compromise attack.
• Threat actors trojanized a component of the SolarWinds Orion Platform software, dubbed as SUNBURST by FireEye [1].
• The backdoored version of the software was distributed via its automatic update mechanism.
• Attackers heavily used various defense evasion techniques such as masquerading, code signing, obfuscated files or information, indicator removal on the host, and virtualization/sandbox evasion.
• The threat actor leverages ten different MITRE ATT&CK tactics, including Lateral Movement, Command and Control, and Data Exfiltration [2].
• Used techniques indicate that the threat actors are highly skilled.

The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic.

Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After an initial dormant period of up to two weeks, solarwinds.orion.core.businesslayer.dll retrieves and executes commands, called “Jobs”, that includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. The malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page [3].

Let's understand the whole executed sequence of this incident by mapping it to MITRE ATT&CK. According to Picus Security's analysis following TTPs used in the SolarWind breach:

• Resource Development

T1587.001 Develop Capabilities: Malware - In this incident, attackers embedded their payload as the DLL library SolarWinds.Orion.Core.BusinessLayer.dll (FireEye named as SUNBURST) [1]. The SUNBURST backdoor delivers different payloads, such as a previously unseen memory-only dropper dubbed TEARDROP by FireEye [1].

T1583.003 Acquire Infrastructure - Attacker leverages Virtual Private Servers (VPSs) to use only IP addresses originating from the same country as the victim [1]. FireEye has provided two Yara rules to detect TEARDROP available on GitHub [3].

• Initial Access

T1195.002 Supply Chain Compromise: Compromise Software Supply Chain - According to SolarWinds security advisory, attackers backdoored three versions of the Orion Platform software: 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1 [4]. However, it is not clear how attackers could tamper with this file. The backdoored SolarWinds Orion Platform software update file that includes the malicious DLL file was distributed via its automatic update mechanism.

• Execution

T1569.002 System Services: Service Execution - During the installation of the SolarWinds application or update, the tampered DLL file is loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe and installed as a Windows service.

• Persistence

T1543.003 Create or Modify System Process: Windows Service - When Windows boots up, the malicious code starts as a service. The TEARDROP malware loaded by the modified DLL runs as a service in the background.

• Privilege Escalation

T1078 Valid Accounts - Threat actors use multiple valid accounts for lateral movement in this attack campaign [1].

• Defense Evasion

T1553.002 Subvert Trust Controls: Code Signing - In this incident, attackers have compromised digital certificates of SolarWinds.

T1036.005 Masquerading: Match Legitimate Name or Location - According to the FireEye report, the threat actor of the SolarWinds breach uses a legitimate hostname found within the victim’s environment as the hostname on their Command and Control (C2) infrastructure to avoid detection [1]. Moreover, the malware masquerades its C2 traffic as the Orion Improvement Program (OIP) protocol [1].

T1036.003 Masquerading: Rename System Utilities - Threat actor replaces a legitimate utility with theirs, executes their payload, and then restores the legitimate original file [1].

T1036.004 Masquerading: Masquerade Task or Service - Adversaries commonly use identical or similar names of legitimate tasks/services executed by the Windows Task Scheduler, at (Linux and Windows), Windows services, and Linux system services.

T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion - In this incident, attackers delay Command and Control communication two weeks after the installation.

T1027.003 Obfuscated Files or Information: Steganography - The TEARDROP malware used in the breach reads from the file gracious_truth.jpg that includes a malicious payload.

T1070.004 Indicator Removal on Host: File Deletion - The threat actor removes their malicious files, including backdoors, after the remote access [1].

• Discovery

T1057 Process Discovery - The threat actor gets a list of processes to shape follow-on behaviors [1].

T1012 Query Registry - The threat actor obtains Cryptographic Machine GUID by querying the value of MachineGuid in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography key to generate a unique userID for each victim [1].

• Lateral Movement

T1021 Remote Services - The threat actor uses valid accounts and legitimate remote access to move laterally in the target network.

• Command and Control

T1071.001 Application Layer Protocol: Web Protocols - The malicious DLL https://www.garudax.id/redir/general-malware-page?url=avsvmcloud%2ecom domain to call out a remote network infrastructure [5]. The malware used in this breach utilizes: i) HTTP GET or HEAD requests when data is requested ii) HTTP PUT or HTTP POST requests when data is sent [1].

T1568.002 Dynamic Resolution: Domain Generation Algorithm - The backdoor used in this attack campaign uses a DGA to determine its C2 server [1].

• Exfiltration

T1041 Exfiltration Over C2 Channel - The threat actor uses HTTP PUT (if the payload is less than 10000 bytes) or HTTP POST (if the payload is bigger than 10000 bytes) requests when the collected data is being exfiltrated to the C2 server [1].

References

[1] FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.” https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html Last Accessed: 15 Dec 2020

[2] Picus Security, "Tactics, Techniques and Procedures (TTPs) used in SolarWind Breach." https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach Last Accessed: 16 Dec 2020

[3] FireEye, “FireEye/sunburst_countermeasures.” https://github.com/fireeye/sunburst_countermeasures. Last Accessed: 20 Dec 2020

[4] SolarWinds Security Advisory. https://www.solarwinds.com/securityadvisory Last Accessed: 15 Dec 2020

[5] msrc, “Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center.” https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks.  Last Accessed: 21 Dec 2020