On Dec 12, FireEye reported that the Solaris Orion IT monitoring suite was attacked using trojanized updates. This attack was a highly skilled manual supply chain attack on the SolarWinds, allowing hackers to compromise the networks of public and private organizations. SolarWinds believes that 18,000 customers downloaded the trojanized update, which counts plenty of large companies among its clients. The malware was present between March and June 2020.
One of the abilities of this malware is that it provided the access to the attackers to begin monitoring internal emails at the departments. The attackers simply had to wait until their targets downloaded and ran the fake software update.
The update file includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component which was the compromised file in the SolarWinds supply chain attack.
How The Attack Works: Solorigate/ SUNBURST Malware
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds-signed plugin component (the loophole in the supply chain and trust) of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.
After an initial dormant period of up to two weeks, it executes commands, called “Jobs”, that includes the ability to transfer and execute files, profile the system, and disable system services.
The backdoor’s behaviour and network protocol blend in with legitimate SolarWinds activity, masquerading as the Orion Improvement Program (OIP) protocol. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers while sitting idle on the infected system and waiting for the timer to detonate.
Once the malicious code has been executed, the malicious DLL then establishes a connection to avsvmcloud[.]com to download additional payloads, move laterally, and exfiltrate data. This makes it even more difficult for security researchers to identify malicious payloads.
Using this level of access, the attacker can steal credentials and increase privileges. Once they have the access to highly privileged accounts, the attacker can then achieve their actions on objectives in any number of ways.
Microsoft, FireEye, and GoDaddy took control over the main domain avsvmcloud[.]com, which was used by the hackers to communicate with the compromised systems. They reconfigured it to create a killswitch that would prevent SUNBURST malware from continuing to operate on victims' networks.
Detection and Mitigation:
The attackers modified a legitimate utility on the targeted system with their malicious code, executed it, and then replaced it with the legitimate one. This is known as the temporary file replacement technique to remotely execute them.
If this DLL has been found on your system, you should immediately upgrade your SolarWinds deployment to the recent hotfix version.
Based on the hashed provided by FireEye, the hashes to look for are:
- 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
- eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
- c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
- ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
- d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SolarWinds released a workaround, asking customers to upgrade to Orion Platform version 2020.2.1 HF 1, as soon as possible, to ensure their environment is safe. An additional hotfix was released that replaced the compromised component and provided several additional security enhancements.
The detection of C:\Windows\SysWOW64\netsetupsvc.dll should be considered suspicious and reported, as the netsetupsvc.dll file is associated with the Microsoft Network Setup Service, which is a legitimate service and DLL when loaded from System32 the payload appears to masquerade as legitimate software to evade detection.
Symantec has confirmed the deployment of a separate second-stage payload called Teardrop that's used to install the Cobalt Strike Beacon against select targets of interest. It’s recommended to rebuild all impacted SolarWinds servers and install Orion Platform version 2020.2.1 HF 2 which is now available.
Article Link: https://blog.lucideus.com/2020/12/solarwinds-hack-explained-lucideus.html