Last month’s uncovering of the SolarWinds supply chain attack caused waves of panic and chatter across the U.S. and all over the world. How did such a widely-used and important software get breached? And are even the supposedly best-protected companies (and their customers) still at risk of compromise? Bit by bit, more information is being discovered about the famous attack we all recently witnessed. It is supposed that Russian nation-state actors are behind the breach that poisoned a SolarWinds software update, delivering the Sunburst backdoor to around 18,000 organizations and companies, including large tech companies such as Microsoft, FireEye and more. Even President Joe Biden is facing pressure from security advisors to urgently address what is being called one of the worst data breaches to ever hit the U.S. government. Since the original headlines outlining the Sunburst supply chain variant, additional malware strains involved in the attacks have also been discovered.
The Implant: Sunspot
Sunspot malware was used to infiltrate SolarWinds and poison new versions of Orion, the company's IT inventory management system. Attackers used Sunspot to target build servers, modifying the build process of the SolarWinds Orion app and inserting the Sunburst backdoor inside the application updates. Build servers prioritize developer use efficiency over high quality security, making them quite vulnerable to malware attacks. A blog post by SolarWinds has stated that that its software development and build process “is common throughout the software industry”, a statement that probably did not comfort anyone, and one that raises questions about other large corporations in the software industry – are their developer environments inadequately built for detecting malicious activity as well? In SolarWind’s case, the server breach caused trojanized Orion versions to be published, undetected, on the company’s official update servers between March and June 2020. Thousands of companies downloaded the Orion update during this time, unknowingly downloading the Sunburst backdoor along with it.
The Backdoor: Sunburst (Solorigate)
Sunburst itself is not particularly complex, its main purpose being gathering information about the infected network and sending the data to a remote server. Once the backdoor was installed in a victim’s network, it laid dormant for about two weeks, evading detection. Sunburst then went on to gather all relevant information about the network. The hackers were picky with their targets, choosing to escalate access only in “high value” organizations.
The Post-Exploitation Tools: Teardrop & Raindrop
Recently discovered, these two malware variants were used to target the most desirable organizations for the attackers. If an organization had sensitive or useful data to steal and was found worthy of escalation, Sunburst would go on to pull a more advanced backdoor loader – Teardrop. Raindrop on the other hand, shows up on networks where at least one device has already been infected with Sunburst, yet no indication has been found that Sunburst was the reason its installation was triggered. Raindrop seems to be a tool used to propagate laterally in a victim network. Both backdoors have been found to drop Cobalt Strike, a penetration testing tool that detects network vulnerabilities, and when used maliciously – can be utilized to spread through a network, exfiltrating data and delivering other strains of malware. Although both post-exploitation tools drop Cobalt strike, each use a different packer and different malware configurations for the infection.
To maximize protection against these threats:
- The US DHS has a specific set of instructions for US Government entities that actually is a good one for anyone using SolarWinds Orion to follow: https://cyber.dhs.gov/ed/21-01/
- In addition, basic good hygiene, like testing updates in a lab before deploying them into production, and monitoring traffic while doing that, can catch a lot of issues (not just malware, but broken updates).
- Validate and verify all hardware and software before deploying it, and make sure that there are no active CVEs for those systems. You can check that here: https://cve.mitre.org/cve/
- Frequently update IP perimeter devices (like firewalls) to block the latest known malicious networks
- Use DNS-based protection to identify and block communications to known C2/malware/exfiltration hosts, as well as to Newly Observed Domains such as those created by DGA's: https://blog.threatstop.com/premium-feed-threatstop-nod-powered-by-farsight
What has ThreatSTOP done for you lately?
ThreatSTOP has been propagating the C2 infrastructure, including the domain information described above, to our subscribers, as well as our public benefit partner, the Global Cyber Alliance Quad 9 service, since December 13th.
Customers who took advantage of our Newly Observed Domains Powered by Farsight Premium Targets gained an even higher level of protection from their ThreatSTOP service, and would have been interdicting the domains before they had been positively identified as malicious.
Our reporting will call out attempted connections to this infrastructure, indicating the malware's presence. Any ThreatSTOP subscriber can contact our security and support team for assistance in reviewing reports and tuning policies to mitigate this threat and others.
As we learn more about the attack and other campaigns, we will be adding the domains, hostnames, and network addresses to our customer security policies. ThreatSTOP will keep you posted.
Ready to try ThreatSTOP in your network? Would you like to see an expert-led demo and get answers about how it works? We're here to help! Let's get started today.