SolarWinds and the SUNBURST backdoor: what's inside this APT campaign

Imagine that everyone who has a smart speaker Amazon Echo at home (Yandex Alice, Maroussia - substitute a suitable one) would know that over the past 6 months she has been unlocking their house and letting thieves inside. How can you feel safe now if intruders could make copies of your keys, documents, storage media, or, for example, poison the water supply system?



This is the situation today for thousands of organizations affected by the Sunburst malware attack on SolarWinds' software supply chain. Affected companies are desperately looking for signs of compromise, conducting an unscheduled infrastructure security audit, and some may even suspend a number of services pending an investigation.



On December 8, FireEye announced that it had been hacked and launched an investigation involving the US government and Microsoft.



On December 13, FireEye released a detailed report on the compromise , which describes how malicious code is distributed through SolarWinds' Orion software.



On December 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency announcement, which asked all companies using SolarWinds software to update or even disconnect SolarWinds Orion from the network (in Step 2 of the above post). Since then, Varonis Security Incident Investigation Service has noticed a surge in forensic investigations related to the campaign and has identified several active attacks.



While much of the material to date has focused on remediation of compromised versions of the SolarWinds Orion solution, according to CISA , there is evidence of additional intrusion vectors associated with this campaign.

Supply chain attacks are hard to defend against

In a supply chain attack, the attacker targets a trusted vendor or trusted product instead of attacking their targets directly. In this case, the attackers injected a prepared backdoor ("backdoor") into a trusted software product (SolarWinds Orion), which was then automatically sent to thousands of clients, disguised as a regular update.



The bad news doesn't end there - the attackers turned out to be sophisticated enough to go unnoticed for months. They had time to leave additional backdoors and gain access to a variety of systems and data. Currently, organizations that have received a malicious update are forced to investigate absolutely everything: starting with systems and accounts that are directly associated with SolarWinds, and continuing the investigation further down the chain.

Primary detection

Whether you are a Varonis customer or not, the first step is to check for a vulnerable version of SolarWinds software. SolarWinds has identified vulnerable versions and, as of December 16, 2020, has released updates and fixes to replace the compromised components.



If your version is vulnerable, here are the steps you should take:

1. avsvmcloud [.] com ,
   
   DNS avsvmcloud [.] com, , (C2) SolarWinds Sunburst.
   
   Varonis , , Varonis Edge .
   
   
2. , SolarWinds
   
   Varonis , SolarWinds, . , Active Directory, SolarWinds , .
   
   
   
   Varonis SolarWinds – :
   
   
   
   
   
   
3. , ( , SolarWinds)
   
   () , , (Azure Active Directory).
   
   , , Varonis DatAlert.
   
   

APT- ( )

This attack was carried out without exploiting a zero-day vulnerability (at least the same vulnerability that we know about at the moment). The prevailing theory, not yet validated by SolarWinds, is that attackers used public FTP server credentials discovered on GitHub in 2018 to gain access to the company's software update infrastructure.







The attacker was able to modify the software update package and add a malicious backdoor to one of SolarWinds Orion's plug-in DLLs, SolarWinds.Orion.Core.BusinessLayer.dll.







The attackers signed their malicious DLL version with SolarWinds' private key. The certificate was issued by Symantec.



We assume that the attacker was able to sign the DLL in one of two ways:

1. The attacker broke into the development process, added a backdoor and allowed SolarWinds to sign it as part of a legitimate software creation and deployment process.
2. The attacker stole the certificate's private key, signed the DLLs themselves, and replaced the official DLL with his malicious version. This is less likely.
   
   

Any organization that uses SolarWinds software and receives updates from their servers has downloaded and run a malicious DLL. Since the DLL was signed and delivered through the official SolarWinds update servers, it was extremely difficult to detect malicious content.

Analysis of the SolarWinds SUNBURST backdoor (BusinessLayer.dll)

When we look inside the malicious DLL, we see that the attackers have relied on stealth. They went to great lengths to write code that would harmonize with the rest of Orion's source code, using well-written arguments and generic, unsuspecting class and method names such as "Initialize" or "Job".







The SolarWinds Sunburst backdoor operates in several stages:

1. 
   
   12-14 (C2). .
   
   
   
   
   
   
2. 
   
   
   
   C2 ( , IP-, , ), , .
3. 
   
   
   
   (DGA) IP- (C2). C2 — SolarWinds OIP (Orion Improvement Program).
   
   
4. 
   
   
   
   , .
   
   
   
   
   
   
5. 
   
   
   
   , , (), TEARDROP, .
   
   

During the first communication session, the backdoor sends information about the device and its environment, encrypted in DNS packets.



Unusually, the IP address in the response DNS packet determines the next hop of the backdoor. Depending on the range of the IP address, the SUNBURST process terminates or activates additional functionality , for example, disabling antivirus or downloading and launching new malware.

Let's take a closer look at the beginning of the backdoor communication with C2.

1. Once the DLL is loaded, SUNBURST performs a series of checks to ensure that it is running on the corporate network and not on an isolated machine.
2. , « ». . .
3. FQDN C2, . (domain1 domain2) + , (domain3):
   
   
   
   
   
   
   
   :
   
   
   
   Domain1 = ‘avsvmcloud[.]com’ 
   
   Domain2 = ‘appsync-api’ 
   
   Domain3 = [‘eu-west-1’, ‘us-west-2’, ‘us-east-1’, ‘us-east-2’]
   
   GetStatus :
   
   
   
   
   
   
   
   
4. (. 2) (. 3) DNS . , DNS , .
   
   
   
   4 :
   
   
   
   «GetCurrentString» «GetPreviousString» GUID / .
   
   
   
   «GetNextString» «GetNextStringEx» GUID.
   
   
   
   DNS-, C2 , .
   
   
   
   , SUNBURST:
   
   
   
   
   
   
   
   Prevasio , DNS, .
   
   
5. , IP- DNS- SUNBURST. «IPAddressHelper» IP-, IP-, DNS-:
   
   
   
   
   
   
   
   , IP- , SUNBURST , HTTP .
   
   
6. IP- DNS- C2, CNAME. , :
   
   
   
   
   
   
7. , SUNBURST DNS- , / , 120 .
8. SUNBURST HTTP- C2 URL- , HTTP JSON.
   
   
   
   URI:
   
   
   
   hxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-[.]avsvmcloud[.]com /swip/upd/Orion[.]Wireless[.]xml 
   
   
   
   , SUNBURST, / , . .:
   
   
   
   
   
   
   
   

   DLL

   
   
   , SolarWinds (EDR), . , «» .
   
   
   
   
   
   
   
   SolarWinds Sunburst , TEARDROP, «gracious_truth.jpg» Cobalt Strike Beacon, «» .
   
   
   
   — , , .
   
   
   
   FireEye CISA , (IOC), . , . , , , , — , , (« ») FireEye.
   
   
   
   « » . DLL SolarWinds Orion . , . , , . , , , , .
   
   
   
   CASA , :
   
   
   
   « , , , , . , , ».