FireEye discovers global intrusion campaign through SolarWinds

Supply chain attack trojanising SolarWinds Orion business software updates.

FireEye has uncovered a widespread campaign, dubbed UNC2452. The actors behind this campaign gained access to numerous public and private organisations around the world.

FireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.

They gained access to victims via trojanised updates to SolarWind’s Orion IT monitoring and management software.

In a blog by FireEye, this campaign may have begun as early as Northern Hemisphere Spring 2020 and is currently ongoing, with post compromise activity following this supply chain compromise has included lateral movement and data theft.

The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanised version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

Multiple trojansied updates were digitally signed from March – May 2020 and posted to the SolarWinds updates website, including:

  • hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanised SolarWinds.Orion.Core.BusinessLayer.dll component.

Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration).

After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page.

“We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected,” wrote FireEye.

SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions here.

In the event they’re unable to follow SolarWinds’ recommendations, the following are immediate mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.

Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.

If SolarWinds infrastructure is not isolated, consider taking the following steps:

Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets

Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.

Block Internet egress from servers or other endpoints with SolarWinds software.

Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.

If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorised modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.




Leave a Comment

Related posts