SolarWinds Supply Chain Attack

Executive Summary

Following the attack on FireEye, the US Department of Homeland Security (DHS) has issued an Emergency Directive (ED) regarding a backdoor being exploited in SolarWinds Orion products, versions 2019.4 through 2020.2.1 (inclusive).

Based on file signatures, FireEye considered this campaign to have started around March 2020, potentially affecting up to 18,000 organization worldwide.

This campaign, now known SUNBURST Solorigate, uses signed, backdoored infected DLL’s to gain access to organizations by communicating with malicious C2 infrastructures.

This campaign is considered as critical, as it’s based on a “Supply Chain Attack” – the attackers were able to infect key files from SolarWinds and perform “DLL Hijack” to make the application load the trojanized malware.

The list of products affected is quite comprehensive: 

• Application Centric Monitor (ACM) 
• Database Performance Analyzer Integration Module (DPAIM) 
• Enterprise Operations Console (EOC) 
• High Availability (HA) 
• IP Address Manager (IPAM) 
• Log Analyzer (LA) 
• NetFlow Traffic Analyzer (NTA) 
• Network Automation Manager (NAM) 
• Network Configuration Manager (NCM) 
• Network Operations Manager (NOM) 
• Network Performance Monitor (NPM) 
• Server & Application Monitor (SAM) 
• Server Configuration Monitor (SCM) 
• Storage Resource Monitor (SCM) 
• User Device Tracker (UDT) 
• Virtualization Manager (VMAN) 
• VoIP & Network Quality Manager (VNQM) 
• Web Performance Monitor (WPM)

Having infected a victim host the threat actor will attempt to deliver additional malware threats including: 

• Teardrop 
• Supernova 
• Cosmicgale

This report focuses on `Teardrop` and its impact, the other threats can be detected and mitigated with the rules mentioned in the recommendations. 

Although at this point it is not possible to attribute the campaign to a specific group, FireEye has given the campaign an uncategorized ‘UNC’ identifier, dubbing the group ‘UNC2452’, whilst Palo Alto’s Unit-42 assigned the threat actor as ‘SolarStorm’. 

Impact

The impact of this incident at this time should be considered critical given that it could lead to a full organization compromise. If affected, assume breach and begin Incident Response immediately. 

Currently observed victims seemingly include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East. 

Findings

Delivery

Based on the certificate used, the trojanized patch in question dates back to March 2020: 

• hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp 

Once applied, the trojanized patch will extract malicious DLL’s to the Solarwinds folder: 

• CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp 
• SolarWinds.Orion.Core.BusinessLayer.dll 
• OrionImprovementBusinessLayer.2.cs 
• app_web_logoimagehandler.ashx.b6031896.dll 

Files in question are all signed using the following certificate (53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7, Serial Number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed): 

Execution

Once in folder, legitimate SolarWinds executables will attempt to execute it (performing an attack called “DLL Hijack”): 

• SolarWinds.BusinessLayerHost.exe
• SolarWinds.BusinessLayerHostx64.exe

In a period of up to 2 weeks, the malware will attempt to resolve to the following address: 

• avsvmcloud[.]com

Once resolved, a CNAME record will be returned, in order to perform C2 communications. This can be one of the following four:

• .appsync-api.eu-west-1[.]avsvmcloud[.]com 
• .appsync-api.us-west-2[.]avsvmcloud[.]com 
• .appsync-api.us-east-1[.]avsvmcloud[.]com 
• .appsync-api.us-east-2[.]avsvmcloud[.]com 

Lateral Movement

Once initial access is gained, the threat actor group will attempt to perform Lateral Movement using a variety of techniques, sticking to legitimate credentials and remote access for access into a victim’s environment. 

In one of the infection cases, a never seen before memory-only dropper dubbed TEARDROP was used as part of the operation to deploy a Cobalt Strike beacon. 

TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which relies on Steganography for payload download and execution. 

Once executed, the payload will check that HKU\SOFTWARE\Microsoft\CTF exists, decode an embedded payload using a custom rolling XOR algorithm and manually load into memory an embedded payload using a custom PE-like file format. 

C2

The malware piece will attempt to generate (using Domain Generation Algorithm) domains for communications over a random interval, from 1 to 3 minutes, 30 to 120 minutes and up to 420-540 minutes in case an error was handled. 

Once generated, the malware will check against hardcoded IP’s for an updated A record domains for communications: 

• 10.0.0.0/8 
• 172.16.0.0/12 
• 192.168.0.0/16 
• 224.0.0.0/3 
• fc00:: – fe00:: 
• fec0:: – ffc0:: 
• ff00:: – ff00:: 
• 20.140.0.0/15 
• 96.31.172.0/24 
• 131.228.12.0/22 
• 144.86.226.0/24 

Later Stages of the Attack

Once inside the organization, the threat actor will likely attempt to advance their attack to the next stage through the delivery of additional malware such as: 

• SuperNova – A .NET Web shell 
• CosmicGale – A Powershell credential theft script 

Potential other attacker activities include: 

• Adding new federation trusts [3]. Microsoft recently added new detections for Modified domain federation trust settings [4] likely to hunt for this activity. 
• Adding OAuth credentials to Microsoft Exchange [5] 

Optional Attack Steps

Reconnaissance

Attackers might attempt to get a list of users on the Exchange server and their current role using ‘Get-ManagementRoleAssignment’: 

1. C:Windowssystem32cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-ManagementRoleAssignment -GetEffectiveUsers | select Name,Role,EffectiveUserName,AssignmentMethod,IsValid | ConvertTo-Csv -NoTypeInformation | % {$_ -replace ‘`n’,’_’} | Out-File C:temp1.xml” 

Retrieve information about the configured Virtual Directory using Get-WebServicesVirtualDirectory: 

1. C:Windowssystem32cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-WebServicesVirtualDirectory | Format-List” 

 Querying and extracting data from Active Directory using AdFind: 

1. C:Windowssystem32cmd.exe /C sqlceip.exe -default -f (name=”Organization Management”) member -list | sqlceip.exe -f objectcategory=* > .SettingSynclog2.txt 

Lateral Movement

Attackers might use PowerShell to create new tasks on remote machines: 

1. $scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“MicrosoftWindowsSoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done” 

 Targeting multiple machines at once: 

1. C:Windowssystem32cmd.exe /C schtasks /create /F /tn “MicrosoftWindowsSoftwareProtectionPlatformEventCacheManager” /tr “C:WindowsSoftwareDistributionEventCacheManager.exe” /sc ONSTART /ru system /S [machine_name] 

Exfiltration

Once Exchange access was gained and data was found, attackers might search and exfiltrate data using the following command (for example, last year alone): 

1. C:Windowssystem32cmd.exe /C powershell.exe –PSConsoleFile exshell.psc1 –Command “New–MailboxExportRequest –Mailbox foobar@organization.here –ContentFilter {(Received –ge ’03/01/2020′)} –FilePath ‘\<MAILSERVER>c$tempb.pst‘” 

For the sake of easy exfiltration (as an archive and not file-by-file), attackers created archives on the Exchange server so it could be exfiltrated using a single HTTP command: 

1. C:Windowssystem32cmd.exe /C .7z.exe a -mx9 -r0 -p[33_char_password]  “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthRedir.png” C:Tempb.pst‍‍‍ 

 An example URL for the attacker to collect the exfiltrated data would be: 

• hxxps://owa[.]organization[.].here/owa/auth/Redir.png 

On disk, this was located at the following path: 

• \Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ 
• \Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\ 

Finally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox: 

1. C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Set-CASMailbox -Identity <UserID> -ActiveSyncAllowedDeviceIDs @{add=’XXXXXXXXXXXXX’}” 

Recommendations

• In case your organization uses SolarWinds Orion software with a version number between 2019.4 to 2020.2.1 HF1 (inclusive), assume breach and start Incident Response actions immediately on all managed endpoints, and isolate accordingly. 
• Upgrade to 2020.2.1.HF1 version immediately.
• In case of clear network logs showing traffic going to avsvmcloud[.]com then in fact, malicious actors gained access to your network. 
• Rotate all credentials used by or stored in SolarWinds Orion. 
• Check for any persistency actions taken by the threat actors. 
• Implement and hunt based on the rules shared by FireEye [6] and Sophos [7]

Indicators of Compromise

File path: 

• C:\WINDOWS\SysWOW64\netsetupsvc.dll **Note the SysWOW64 path 

Vetted Hashes 

• 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 
• 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 
• 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
• 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 
• a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 
• ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 
• c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 
• c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
• ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 
• d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 
• d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af 
• dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 
• eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed 

Exchange Management Shell PowerShell commands potentially used: 

• Get-AcceptedDomain 
• Get-CASMailbox 
• Get-Mailbox 
• Get-ManagementRoleAssignment 
• Get-OrganizationConfig 
• Get-OwaVirtualDirectory 
• Get-Process 
• Get-WebServicesVirtualDirectory 
• New-MailboxExportRequest 
• Remove-MailboxExportRequest 
• Set-CASMailbox 

Domains: 

• .appsync-api.eu-west-1[.]avsvmcloud[.]com 
• .appsync-api.us-east-1[.]avsvmcloud[.]com 
• .appsync-api.us-east-2[.]avsvmcloud[.]com 
• .appsync-api.us-west-2[.]avsvmcloud[.]com 
• databasegalore[.]com 
• deftsecurity[.]com 
• digitalcollege[.]com 
• digitalcollege[.]org 
• freescanonline[.]com 
• globalnetworkissues[.]com 
• highdatabase[.]com 
• incomeupdate[.]com 
• kubecloud[.]com 
• lcomputers[.]com 
• panhardware[.]com 
• seobundlekit[.]com 
• solartrackingsystem[.]net 
• thedoccloud[.]com 
• virtualwebdata[.]com 
• webcodez[.]com 
• websitetheme[.]com 
• zupertech[.]com 

IP’s: 

• 13.57.184.217 
• 13.59.205.66 
• 139.99.115.204 
• 18.217.225.111 
• 18.220.219.143 
• 184.72.1.3 
• 184.72.101.22 
• 184.72.113.55 
• 184.72.145.34 
• 184.72.209.33 
• 184.72.21.54 
• 184.72.212.52 
• 184.72.224.3 
• 184.72.229.1 
• 184.72.240.3 
• 184.72.245.1 
• 184.72.48.22 
• 196.203.11.89 
• 20.141.48.154 
• 204.188.205.176 
• 3.16.81.254 
• 3.87.182.149‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍ 
• 34.203.203.23 
• 34.219.234.134 
• 5.252.177.21 
• 5.252.177.25 
• 51.89.125.18 
• 54.193.127.66 
• 54.215.192.52 
• 8.18.144.11 
• 8.18.144.12 
• 8.18.144.130 
• 8.18.144.135 
• 8.18.144.136 
• 8.18.144.149 
• 8.18.144.156 
• 8.18.144.158 
• 8.18.144.165 
• 8.18.144.170 
• 8.18.144.180 
• 8.18.144.188 
• 8.18.144.20 
• 8.18.144.40 
• 8.18.144.44 
• 8.18.144.62 
• 8.18.144.9 
• 8.18.145.131 
• 8.18.145.134 
• 8.18.145.136 
• 8.18.145.139 
• 8.18.145.150 
• 8.18.145.157 
• 8.18.145.181 
• 8.18.145.21 
• 8.18.145.33 
• 8.18.145.36 
• 8.18.145.3 

MITRE ATT&CK

References 

[1] https://cyber.dhs.gov/ed/21-01/

[2] https://www.solarwinds.com/securityadvisory

[3] https://activedirectoryfaq.com/2018/06/o365-hybrid-exchange-federation-trust/

[4] https://github.com/Azure/Azure-Sentinel/blob/ba04ef7349c04d3dd23a7facc47ffe9ecfae1dc4/Detections/AuditLogs/ADFSDomainTrustMods.yaml

[5] https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth

[6] https://github.com/fireeye/sunburst_countermeasures

[7] https://github.com/sophos-cybersecurity/solarwinds-threathunt