What happened

SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack. Their product Orion Platform, a answer for monitoring and managing their clients’ IT infrastructure, was compromised by menace actors. This resulted in the deployment of a tradition Sunburst backdoor on the networks of more than 18,000 SolarWinds clients, with many large corporations and government entities among the victims.

According to our Threat Intelligence data, the victims of this sophisticated supply-chain attack were located all around the globe: the Americas, Europe, Middle East, Africa and Asia.

After the initial compromise, the attackers appear to have chosen the most valuable targets among their victims. The companies that appeared to be of special interest to the malicious actors may have been subjected to deployment of additional persistent malware.

Overall, the evidence available to date suggests that the SolarWinds supply-chain attack was designed in a professional manner. The perpetrators behind the attack constructed it a priority to stay undetected for as long as possible: after the installing, the Sunburst malware lies dormant for an extended period of time, continuing a low profile and thwarting automated sandbox-type analysis and detection. Additionally, the backdoor utilizes a sophisticated scheme for victim reporting, validation and upgrading which resembles methods involved in some other notorious supply-chain attacks.

Read more about our research on Sunburst malware here. Additional reports and indicators of compromise extended to our Threat Intelligence Portal customers.

How to protect your organization against this menace

The detection logic has been improved in all our solutions to ensure that our clients remain protected. We continue to investigate this attack employing our Threat Intelligence and we will add additional detecting logic once they are required.

Our products are protected by this threat and see it with the following names 😛 TAGEND

Backdoor.MSIL.Sunburst.a Backdoor.MSIL.Sunburst.b HEUR: Trojan.MSIL.Sunburst.gen HEUR:Backdoor.MSIL.Sunburst.gen Backdoor.MSIL.Sunburst.b

Screenshot of our TIP portal with one IoCs from the SolarWinds breach

Our Behavior Detection ingredient sees activity of the trojanized library as PDM: Trojan.Win3 2. Generic.

Our Endpoint Detection and Response( Expert) platform can be helpful in looking for and identify retraces of this attack. The customer can search for Indicators of Compromise( such as hashes or domain names) with an. ioc file or directly with the Threat Hunting interface 😛 TAGEND

Or, clients can use the IoA Tag, which we have added specifically for this attack:

This rule marks endpoint detectings for Sunburst to make it more clearly visible to security officers:

Our Kaspersky Anti-Targeted Attack Platform detects Sunburst traffic with a decide of IDS rules with the following judgments 😛 TAGEND

Trojan.Sunburst.HTTP.C& C Backdoor.Sunburst.SSL.C&C Backdoor.Sunburst.HTTP.C& C Backdoor.Sunburst.UDP.C&C Backdoor.Beacon.SSL.C& C Backdoor.Beacon.HTTP.C&C Backdoor.Beacon.UDP.C& C

Our Managed Detection and Response service is also able to identify and stop this attack by use menace hunting regulations to spot various activities that can be performed by the Sunburst backdoor as well as detectings from Kaspersky Endpoint Security.

Sunburst/ UNC2 452/ DarkHalo FAQ

Who is behind this attack? I read that some people say APT2 9/ Dukes? At the moment, there are no technical been linked to previous strikes, so it may be an entirely new actor, or a already known one that evolved their TTPs and opsec to the point where they can’t be linked anymore. Volexity, who previously worked on other incidents related to this, named the actor DarkHalo. FireEye named them “UNC2452”, recommending an unknown actor. While some media sources related this with APT2 9/ Dukes, this appears to be either speculation or based on some other, unavailable data, or weak TTPs such as legitimate domain re-use. I use Orion IT! Was I a target of this attack? First of all, we recommend scanning your system with an updated security suite, capable of detecting the compromised bundles from SolarWinds. Check your network traffic for all the publicly known IOCs- insure https :// github.com/ fireeye/ sunburst_countermeasures. The reality that someone downloaded the trojanized bundles doesn’t likewise mean they were selected as a target of interest and received further malware, or suffered data exfiltration. It would appear, based on our observations and common sense, that only a handful of the 18,000 Orion IT patrons were flagged by the attackers as interesting as were further exploited. Was this just espionage or did you observe destructive activities, such as ransomware? While the largest part of the high-profile incidents nowadays include ransomware or some sort of destructive warhead( read NotPetya, Wannacry) in this case, it would appear the main goal was espionage. The attackers showed a deep understanding and knowledge of Office3 65, Azure, Exchange, Powershell and leveraged it in many creative ways to constantly monitor and extract e-mails from their true victims’ systems. How many victims have been identified? Several publicly available data sets, such as the one from John Bambenek, include DNS petitions encoding the main victims epithets. It should be noted that these victim names are just the “first stage” recipients , not inevitably the ones the attackers deemed interesting. For instance, out of the~ 100 Kaspersky consumers with the trojanized bundle, it would appear that none were interesting to the attackers to receive the 2nd stage of the attack. What are the most affected countries? To date, we find consumers with the trojanized Orion IT bundle in 17 countries. However, the total number is likely to be larger, considering the official numbers from SolarWinds. Why are you calling this an attack, when it’s just exploitation?( CNA vs CNE) Sorry for the terminology, we simply can be attributed to it as a” furnish chain strike “. It “wouldve been” odd to describe it as a” supply chain exploitation “. Out of the 18,000 first stage victims, how many were interesting to the attackers? This is difficult to estimate, mainly because of the lack of visibility and because the attackers were really careful in hiding their retraces. Based on the CNAME records published by FireEye, we identified only two entities, a US government organization and a telecommunications company, who were tagged and “promoted” to dedicated C2s for additional exploitation. Why didn’t you catch this supply chain assault in the first place? That’s a good question! In particular, two things induced it really stealthy. The slow communication technique, in which the malware lies dormant for up to two weeks, is one of them. The other one is the lack of x8 6 shellcode; the attackers utilized a. NET injected module. Last but not least, there was no significant change in the file size of the module when the malicious code was added. We observed two suspicious modules in 2019, which jump-start from the usual 500 k to 900 k for SolarWinds.Orion.Core.BusinessLayer.dll. When the malicious code was first added, in February 2020, the file didn’t modify sizing in a significant manner. If the attackers did this on purpose, to avoid future detections, then it’s a pretty impressive thing. What is Teardrop? According to FireEye, Teardrop is malware delivered by the attackers to some of the victims. It is an unknown memory-only dropper suspected to deliver a customized version of the well-known CobaltStrike BEACON. To date, we haven’t detected any Teardrop samples anywhere. What made this such a successful operation? Probably, a combination of things- a supplying chain assault, coupled with a very well thought first stage implant, careful victim selection strategies and last but not least , no obvious connections to any previously observed TTPs.

Read more: securelist.com