Authors: Victor Sandin and Darby Wise
\nTLP:WHITE<\/p>\n
On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1<\/sup> This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.2<\/sup> The threat actor behind the campaign carried out a complex attack chain and demonstrated highly sophisticated TTPs, indicating it was the work of an advanced persistent threat (APT) group. Known victims include government agencies, as well as private sector and critical infrastructure organizations.3<\/sup><\/p>\n Since the publishing of our previous report, we have gathered additional information about the wide-ranging effects of this campaign, and are conducting several internal investigations. We are publishing this update to share some of the latest information from OSINT, as well as convey what we have been able to validate. This report also includes additional IOCs.<\/p>\n As previously reported, the threat actor used a highly sophisticated attack chain to deliver malicious code via a backdoor injected into a dynamic-link library (DLL) that was a part of a legitimate update to some versions of SolarWinds Orion software (SolarWinds.Orion.Core.BusinessLayer.dll<\/em>). Based on the update release date and passive DNS (pDNS) data, this breach started as early as March 2020. However, ReversingLabs has reportedly found that in October 2019, the threat actor distributed malicious files without the embedded backdoor to test whether or not these files would be detected.4<\/sup><\/p>\n The threat actor was able to remain undetected for an extended period of time by employing sophisticated obfuscation methods such as imitating the legitimate SolarWinds coding style and naming standards, using virtual private servers (VPSs) with IPs native to the victim\u2019s home country, and leveraging compromised security tokens for lateral movement. Further analysis indicates that the threat actor used escalated Active Directory privileges to compromise the Security Assertion Markup Language (SAML) signing certificate and create valid tokens that could be used to access environment resources for data exfiltration.<\/p>\n According to a new alert from the Cybersecurity and Infrastructure Security Agency (CISA), it appears that the threat actor used multiple initial access vectors in addition to the SolarWinds Orion platforms. Volexity reported to have evidence connecting the TTPs from this campaign to multiple incidents from late 2019 and early 2020 targeting a US-based think tank. Volexity designated the actor responsible for these attacks Dark Halo.5<\/sup> In one of these incidents, Volexity observed the APT using a stolen secret key, known as an akey, to generate a cookie to bypass the Duo multi-factor authentication (MFA) service and access a user\u2019s email via the Outlook Web App (OWA). While we are still investigating our non-Orion products, to date, we have not seen evidence that they are impacted by SUNBURST.<\/p>\n Our previous report included information from FireEye stating the APT deployed other variants of malware as additional payloads, including TEARDROP, SUPERNOVA, and COSIMICGALE. Since then, ZDNet has come out in agreement that the threat actor downloaded TEARDROP, a memory-only dropper, but also reported that security researchers\u2019 and Microsoft\u2019s further analysis indicates SUPERNOVA and COSMICGALE were not part of this campaign\u2019s attack chain and should be considered as a separate attack targeting CVE-2019-8917.6<\/sup><\/p>\n Several teams have published findings pertaining to decoding the elements of the FQDNs created by the threat actor\u2019s DGA. The RedDrip Team from QiAnXin Technology published a decoder and that the structures of the subdomains were composed of three parts: a globally unique identifier (GUID) value composed of the hash of the hostname and MAC address of the first or default active and non-loopback interface; a single byte indicating if it is the first, second or third part of the payload (infected system domain name); and finally, a custom base32-encoded hostname to identify the victim. Longer domains are split across multiple queries and assembled later by matching the GUID section after applying a byte-by-byte exclusive OR.7,8<\/sup><\/p>\n Subsequently, the NETRESEC team created a tool to further decode the SUNBURST subdomains in an effort to help identify SUNBURST victims. Since 18 December, they have released several versions of the decoder.9<\/sup><\/p>\n From a DNS perspective, Infoblox has been able to verify that once a victim has been infected with SUNBURST, the malware beacons to avsvmcloud[.]com with a hostname designed by a DGA to exfiltrate data about the victim, as described above. The threat actor can return one of several responses in the form of an IP. We have not yet been able to determine, nor seen reporting in OSINT, about what factor(s) trigger different responses from the threat actor. From our analysis it appears that the number of entities that receive direction to move to the second stage domains, passed via a CNAME resolution, is much smaller than the overall number that contact the initial server. It remains unclear how the actor chooses which victims to move into different stages of the attack.<\/p>\n Our analysis has also shown that if queries resolve to an IP that matches a pattern producing an address family as \u201cNetBios,\u201d it appears to trigger certain follow-on activity. IPs match a pattern producing an address family as \u201cImplink\u201d or \u201cAtm\u201d serve as prompts for enumerating processes and services. IPs that resolve as \u201cIpx\u201d appear to be requests for updates to local \u201cStatus\u201d configurations. Infoblox has not observed data to confirm this. Other address families appear to include \u201cInterNetwork,\u201d \u201cInterNetworkV6,\u201d and \u201cError.\u201d<\/p>\n FireEye, in coordination with GoDaddy, recently transferred control of the command and control (C&C) domain (avsvmcloud[.]com<\/em>) to Microsoft to disable the SUNBURST backdoor from further execution.10<\/sup> GoDaddy created a wildcard DNS resolution ensuring any subdomain of the threat actor\u2019s C&C resolving to an IP address will not prompt any follow-on actions.<\/p>\n While this new DNS resolution will disable SUNBURST backdoor deployments connecting to the C&C, FireEye has stated that the attackers may have deployed other backdoors preventing the victims from removing the threat actor completely from their networks.<\/p>\n CISA included in their alert detailed mitigations for organizations that use the specific products affected by this attack chain.3<\/sup><\/p>\n FireEye recommends the following upgrades to its affected customers, if possible:<\/p>\n If an organization is unable to upgrade to this version of Orion, FireEye recommends taking the following actions:<\/p>\n Microsoft\u2019s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation state activity.11<\/sup><\/p>\n It is important to block all communications to the threat actor\u2019s C&C servers that are listed in the IOC table, as well as any further indicators released by security vendors confirmed to be part of this campaign.<\/p>\n Below is a supplementary list of IOCs related to this attack, according to OSINT. The CISA published an extended list of IOCs in their 17 December report on the campaign.<\/p>\n As stated in our previous report, in some cases the actor behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may continue to grow as organizations investigate their environments and share their findings.<\/p>\n2.\u00a0 Analysis<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.1.\u00a0 \u00a0Updates on Supply Chain Attack<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.\u00a0 \u00a0Decoding the DGA Algorithm<\/h4>\n
\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.3.\u00a0 \u00a0DNS Activity<\/h4>\n
3.\u00a0 Prevention and Mitigation<\/h3>\n
\n
\n
4.\u00a0 Indicators of Compromise<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4.1.\u00a0 \u00a0Additional Indicators<\/h4>\n