Sunburst: A Week in Review

2020 isn’t going down quietly, and what an awful week it has been for the security community. If you were lucky enough to be on vacation, let’s catch up.

Recap

Heading into the weekend on Friday the 8th, FireEye disclosed that it had been compromised by a nation state. By Sunday, it was discovered the breach came courtesy of the SolarWinds platform, Orion, and is suspected to have been executed by the Russian-based nation-state attack from a group known as APT29, also known as Cozy Bear

With the breach linked back to the use of Solarwinds’ updater as the distribution mechanism for the backdoor, finding out who had been affected was easy, and the results were devastating. 3 letter agencies, government entities, federal contractors, private businesses; numbering around 18,000 potential victims, this breach has garnered attention from media outlets coast-to-coast.

Why it’s Bad

The Orion platform includes the ability to monitor network performance and traffic. The platform also uses accounts with elevated permissions to monitor the health of applications and servers. Attackers able to breach the platform would have a map of the organization’s network, and credentials to potentially gain elevated access to critical systems. Critical systems commonly include those that hold credentials for every user in the organization, providing largely unfettered access to every system within the organization, and all the data contained on those systems.

The tech side is interesting. The Orion update service delivered a compromised, but signed, DLL that was backdoored to allow access to the attackers. Along with a handful of evasion techniques, data was exfiltrated by dumping it into legitimate configuration files and shipping them out, which made it appear to be typical system-health related check-ins.

Now What?

On que, the security community led by FireEye, Microsoft, a Federal response team, and individual researchers immediately started dumping all the data that could be found about the attackers, their motives, and TTPs (Tactics, Techniques and Procedures). IPs, Domains, Hashes, all quickly became available for organizations to assess whether they were affected.

This also brought light to an area of security often overlooked due to the difficulty in mitigating risks, 3rd parties. Many organizations aren’t attacked directly, but rather through those that they do business with, or use the product of. 3rd party software providers often propose exclusions for Endpoint Protection and Endpoint Detection and Response products. These exclusions should be heavily scrutinized rather than accepted at face value. In the instance of SolarWinds’ Orion platform, documentation notes exclusions for some of the same folders that housed the malicious DLL and were used for data exfiltration.

As always, CRITICALSTART remains vigilant and available to help our customers with a range of MDR, threat hunting, and response capabilities, but for customers with the means, expertise, and immediate needs, below are some of the resources we would recommend checking out to start the hunt yourself and report anything suspicious.

Look for more content to come from CRITICALSTART soon. We continue to research with our own facilities and team of experts to gather insights and discoveries around these issues, and we will continue to share our perspective on how to better secure your enterprise.

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha

https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

https://cyber.dhs.gov/ed/21-01/


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form