The latest headliner in cybersecurity news is the recently disclosed compromise of FireEye, The US Government, and many others that was brought about by a backdoor discovered in a widely installed set of network tools from Solarwinds.
What we know so far reveals a sophisticated, long term, and well-funded campaign that was likely backed by a nation's resources rather than some run-of-the-mill cyber criminal enterprise.
The type of attack, supply chain compromise, is fairly simple in principle. A (believed) Russian hacking group compromised a source code repository using publicly posted credentials and inserted a backdoor in Solarwinds Orion. Orion is a comprehensive IT management platform that has the ability to configure systems, manage patches, and effectively perform any task that a systems or network administrator can. By compromising this platform, the attackers were able to have complete control of any network or system managed by the trojaned software. When Orion customers installed updated versions of the system derived from the modified source code, it gave the attackers the ability to install arbitrary code, including malware, on vulnerable networks masquerading as standard patches. There are currently over 40 known victim companies, and up to 18,000 more who could become victims before all is said and done. While much of this attack will be studied as being novel, like many campaigns, the attacker's playbook here was pretty simple:
- Introduce the malware
- Activate the malware
- Expand infection
- Exfiltrate data
Introduction of the malware was the hard part, and the hardest to prevent in this case. It would be difficult - if not impossible - to stop a determined nation-level actor with 100% success, especially when they manage to get inside your "trust bubble" through an incumbent vendor. The rest of the attack is where detection and interdiction, however, can occur. Activation and expansion typically requires communications, either to a command-and-control network (C2) or a malware download site, or both. Data exfiltration is another action that can be detected and blocked. The following describes how IP address and DNS filtering can - and does - address these issues.
How do you keep the attacking malware from activating, spreading, and exfiltrating?
Just like spies in the real world, Cyber attackers have to get the goods back to them, and communicate with their "agent". Their weak point is that communication. Interdicting communication with the attackers' C2, malware download, and exfiltration sites prevents them from taking action and getting data, and also identifies compromised machines. Nation-level actors, like "regular" opportunistic cybercriminals, often use and reuse network infrastructure for multiple campaigns. As with the physical world, they have to have control of, and trust, the infrastructure they use. While the number of IP addresses and domain names is very large, it is not limitless, and only a subset of those can be trusted by criminals and spies. Knowing these resources allows you to block them by default.
Furthermore, the Domain Names used by criminals and attackers show different usage patterns than legitimate ones. Whereas normal sites tend to be used after being set up for a while, and used over a longer period of time. Malicious Domain Names tend to be used very quickly, and for a short period of time. As a result, newly activated domains should be treated differently than older, established domains. Many types of malware use dynamically generated domain names and/or the host portion of a DNS name as a communication mechanism. This can be identified through pattern analysis, but it also presents an opportunity to block based on the infrastructure, since the DNS server that resolves the domain names has to be running special software that participates in the dynamic name generation and decoding, and so blocking that name server, and any domains using it, breaks the communication channel.
In the case of the SunBurst/Solarigate trojan, the fact that the malware authors could not know, in advance, where their malware was installed, provides an opportunity to identify infections, and interdict the command and control. In order to signal what entity it was communicating from, and therefore receive the specific instructions for what to do, the malware encodes the domain name of the system it is running on in the host portion of the query for records of the form <encoded-data>.appsync-api.<location-server>.avsvmcloud[.]com. Blocking any query for any subzone of avsvmcloud[.]com interdicts the communications channel, and logs containing that domain indicate an infection.
HOWEVER, it would not have been necessary to know, in advance, that queries of that form were malicious, if newly observed host queries were being blocked, because generated host names are, by definition, newly observed. This is one of the other weaknesses of Domain Generation Algorithm based malware communication, and a combination of this with blocking domains with NameServers known to be DGA or DNS Tunneling agents is a very powerful tool to interdict unknown malware.
To maximize protection:
- The US DHS has a specific set of instructions for US Government entities that actually is a good one for anyone using SolarWinds Orion to follow: https://cyber.dhs.gov/ed/21-01/
- In addition, basic good hygiene, like testing updates in a lab before deploying them into production, and monitoring traffic while doing that, can catch a lot of issues (not just malware, but broken updates).
- Validate and verify all hardware and software before deploying it, and make sure that there are no active CVEs for those systems. You can check that here: https://cve.mitre.org/cve/
- Frequently update IP perimeter devices (like firewalls) to block the latest known malicious networks
- Use DNS-based protection to identify and block communications to known C2/malware/exfiltration hosts, as well as to recently activated domains
What has ThreatSTOP done for you lately?
ThreatSTOP has been propagating the C2 infrastructure, including the domain information described above, to our subscribers, as well as our public benefit partner, the Global Cyber Alliance Quad 9 service, since December 13th.
Customers who take advantage of our Newly Observed Domains Powered by Farsight Premium Targets gained an even higher level of protection from their ThreatSTOP service, and would have been interdicting the domains before they had been positively identified as malicious.
Our reporting will call out attempted connections to this infrastructure, indicating the malware's presence. Any ThreatSTOP subscriber can contact our security and support team for assistance in reviewing reports and tuning policies to mitigate this, and other, threats.
As we learn more about the attack and other campaigns, we will be adding the domains, hostnames, and network addresses to our customer security policies. ThreatSTOP will keep you posted.
Ready to try ThreatSTOP in your network? Would you like to see an expert-led demo and get answers about how it works? We're here to help! Let's get started today.