Following the attack on FireEye, the details are revealed and the US Department of Homeland Security (DHS) has issued an Emergency Directive (ED) regarding a backdoor being exploited in SolarWinds Orion products. Several victims have been identified that has been infected using the same attack. Fireeye initiated first analysis upon the findings on their network and publish evidence that suggests this campaign has started around March 2020 and upto 18,000 organizations might be affected worldwide.

Now the campaign known as SUNBURST\Solorigate which is a sophisticated and targeted APT. Attack can be categorized as Supply Chain Attack where it is most possibly that attackers compromised Solarwinds development & build system to inject malicious code into their legitimate product called Orion. The injected code is responsible for delivery and installation of the attack vector. Microsoft published a visualization of the infection chain: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

I would like to map the attack stages to the kill chain, while describing each stage in detail and how Comodo’s patented Kernel API-Virtualization technique will protect the organizations from Active Breach.

Reconnaissance:

It is still unclear as to what kind of information has been gathered against Solarwinds before the actual attack, there are a couple of post regarding leaking FTP credentials belonging to Solarwinds however it is clear that planting such an attack into Solarwinds will require using significant number of attack vectors. Considering this APT is best named as Supply-Chain attack and distributed via patch packages, it’s a strong possibility that the attackers might have intruded into development process to introduce the backdoor.

Some sources like Group-IB claims that fxmsp is the initial intruder to Solarwinds network because of their posts on Exploit Forum in 2017. They have tried to sell access to the machines controlled by Solarwinds.

Weaponization:

To our knowledge, this attack was performed without weaponizing a zero-day vulnerability. The delivery method was compromised SolarWinds Orion product which is an infrastructure monitoring and management platform for IT administrators. The attackers infiltrated into Orion business software updates and distributed properly digitally signed backdoor code into one of its legitimate core DLL : SolarWinds.Orion.Core.BusinessLayer.dll file. What we know about “Weaponization steps” are limited at this stage. I have attempted to list what we know and some possible scenarios.

• The attackers signed their malicious version of the DLL with the SolarWinds private key, issued by Symantec.
• The update servers might be compromised but this also requires Solarwind’s  Private key for its Code Signing Certificate to be stolen as well.
• Attackers might compromise code-build environment, merge the malicious code into legitimate code branch and let build processes to sign the code and update servers delivers the code to victims.

Delivery:

Delivery method in this attack used Supply-Chain method, the malicious code has been distributed via SolarWinds Orion core DLL to various victims. Multiple malicious updates were digitally signed from March – May 2020 and posted to the SolarWinds updates website such as: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp.

Once victim’ systems applied the patch following files has been extracted appropriate Solarwinds folder.

• CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
• SolarWinds.Orion.Core.BusinessLayer.dll
• OrionImprovementBusinessLayer.2.cs
• app_web_logoimagehandler.ashx.b6031896.dll

SolarWinds.Orion.Core.BusinessLayer.dll has the main actor for the delivery, which is a backdoor code, that communicates back to C2 servers, reports the targeted domain, processes, endpoint protection systems etc. The attacker then chose if the target is a good candidate to initiate the exploitation or not. Here is a list prepared by Pervasio based on C2 DGA, where victim domain is embedded into subdomain of main C2 domain [.]avsvmcloud[.]com https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html

As can be seen the targets are from very different verticals, from government to hospitals and banks.

hgvc.com	Hilton Grand Vacations
Amerisaf	AMERISAFE, Inc.
kcpl.com	Kansas City Power and Light Company
SFBALLET	San Francisco Ballet
scif.com	State Compensation Insurance Fund
LOGOSTEC	Logostec Ventilação Industrial
ARYZTA.C	ARYZTA Food Solutions
bmrn.com	BioMarin Pharmaceutical Inc.
AHCCCS.S	Arizona Health Care Cost Containment System
nnge.org	Next Generation Global Education
cree.com	Cree, Inc (semiconductor products)
calsb.org	The State Bar of California
rbe.sk.ca	Regina Public Schools
cisco.com	Cisco Systems
pcsco.com	Professional Computer Systems
barrie.ca	City of Barrie
ripta.com	Rhode Island Public Transit Authority
uncity.dk	UN City (Building in Denmark)
bisco.int	Boambee Industrial Supplies (Bisco)
haifa.edu	University of Haifa
smsnet.pl	SMSNET, Poland
fcmat.org	Fiscal Crisis and Management Assistance Team
wiley.com	Wiley (publishing)
ciena.com	Ciena (networking systems)
belkin.com	Belkin
spsd.sk.ca	Saskatoon Public Schools
pqcorp.com	PQ Corporation
ftfcu.corp	First Tech Federal Credit Union
bop.com.pk	The Bank of Punjab
nvidia.com	NVidia
insead.org	INSEAD (non-profit, private university)
usd373.org	Newton Public Schools
agloan.ads	American AgCredit
pageaz.gov	City of Page
jarvis.lab	Erich Jarvis Lab
ch2news.tv	Channel 2 (Israeli TV channel)
bgeltd.com	Bradford / Hammacher Remote Support Software
dsh.ca.gov	California Department of State Hospitals
dotcomm.org	Douglas Omaha Technology Commission
sc.pima.gov	Arizona Superior Court in Pima County
itps.uk.net	Infection Prevention Society (IPS)
moncton.loc	City of Moncton
acmedctr.ad	Alameda Health System
csci-va.com	Computer Systems Center Incorporated
steptoe.com	Steptoe & Johnson LLP
keyano.local	Keyano College
uis.kent.edu	Kent State University
alm.brand.dk	Sydbank Group (Banking, Denmark)
ironform.com	Ironform (metal fabrication)
corp.ncr.com	NCR Corporation
ap.serco.com	Serco Asia Pacific
int.sap.corp	SAP
mmhs-fla.org	Cleveland Clinic Martin Health
nswhealth.net	NSW Health
mixonhill.com	Mixon Hill (intelligent transportation systems)
bcofsa.com.ar	Banco de Formosa
ci.dublin.ca.	Dublin, City in California
siskiyous.edu	College of the Siskiyous
weioffice.com	Walton Family Foundation
ecobank.group	Ecobank Group (Africa)
corp.sana.com	Sana Biotechnology
med.ds.osd.mi	US Gov Information System
wz.hasbro.com	Hasbro (Toy company)
its.iastate.ed	Iowa State University
amr.corp.intel	Intel
cds.capilanou.	Capilano University
e-idsolutions.	IDSolutions (video conferencing)
helixwater.org	Helix Water District
detmir-group.r	Detsky Mir (Russian children’s retailer)
int.lukoil-int	LUKOIL (Oil and gas company, Russia)
ad.azarthritis	Arizona Arthritis and Rheumatology Associates
net.vestfor.dk	Vestforbrænding
allegronet.co.	Allegronet (Cloud based services, Israel)
us.deloitte.co	Deloitte
central.pima.g	Pima County Government
city.kingston.	Kingston City, Australia
staff.technion	Technion – Israel Institute of Technology
airquality.org	Sacramento Metropolitan Air Quality Management District
phabahamas.org	Public Hospitals Authority, Caribbean
parametrix.com	Parametrix (Engineering)
ad.checkpoint.	Check Point
corp.riotinto.	Rio Tinto (Mining company, Australia)
intra.rakuten.	Rakuten
us.rwbaird.com	Robert W. Baird & Co. (Financial services)
ville.terrebonn	Ville de Terrebonne
woodruff-sawyer	Woodruff-Sawyer & Co., Inc.
fisherbartoninc	Fisher Barton Group
banccentral.com	BancCentral Financial Services Corp.
taylorfarms.com	Taylor Fresh Foods
neophotonics.co	NeoPhotonics (optoelectronic devices)
gloucesterva.ne	Gloucester County
magnoliaisd.loc	Magnolia Independent School District
zippertubing.co	Zippertubing (Manufacturing)
milledgeville.l	Milledgeville (City in Georgia)
digitalreachinc	Digital Reach, Inc.
deniz.denizbank	DenizBank
thoughtspot.int	ThoughtSpot (Business intelligence)
lufkintexas.net	Lufkin (City in Texas)
digitalsense.co	Digital Sense (Cloud Services)
wrbaustralia.ad	W. R. Berkley Insurance Australia
christieclinic.	Christie Clinic Telehealth
signaturebank.l	Signature Bank
dufferincounty.	Dufferin County
mountsinai.hosp	Mount Sinai Hospital
securview.local	Securview Victory (Video Interface technology)
weber-kunststof	Weber Kunststoftechniek
parentpay.local	ParentPay (Cashless Payments)
europapier.inte	Europapier International AG
molsoncoors.com	Molson Coors Beverage Company
fujitsugeneral.	Fujitsu General
cityofsacramento	City of Sacramento
ninewellshospita	Ninewells Hospital
fortsmithlibrary	Fort Smith Public Library
dokkenengineerin	Dokken Engineering
vantagedatacente	Vantage Data Centers
friendshipstateb	Friendship State Bank
clinicasierravis	Clinica Sierra Vista
ftsillapachecasi	Apache Casino Hotel
voceracommunicat	Vocera (clinical communications)
mutualofomahaban	Mutual of Omaha Bank

Exploitation:

I have analyzed the sample source code, reversed and published under this repository: https://github.com/Shadow0ps/solorigate_sample_source, exploitation code is injected into a dynamic link library named SolarWinds.Orion.Core.BusinessLayer.dll. This DLL was created by modifying the code of a legitimate component of SolarWinds Orion, and is activated by code as plugin into another Orion component, InventoryManager. This code piece below start a thread to execute the malicious injection.

This code creates a new thread which runs the Sunburst backdoor code, the entry point being the Initialize() function.

Attackers also added evasion techniques for detection. In order to evade targets’ defenses, the Sunburst DLL checks for a hard-coded list of processes, services and drivers. They have  embedded pre-calculated hashes of service names to evade. assemblyTimeStamps array hold all those hashes to evade. 

SearchServices() compares running services against a short list of hardcoded services, again using pre calculated hashes for the corresponding process filenames and Registry service subkeys.

The UpdateNotification() function also resolves the api.solarwinds.com hostname. If an internal IP address is returned, execution is terminated. Attackers want to avoid running inside Solarwinds network. In either case, if a process is detected by the malware, Sunburst execution stops until next time the malicious DLL is loaded. Next run will be next update cycle of Orion software

Installation

When all the process, service and driver checks pass, either eliminating execution or non  Sunburst will proceed to the main execution loop. Where the backdoor waits 12-14 days before sending first request to the C2 server. the exact threshold is selected randomly from an interval. It checks the time continuously as background task. Then it checks for if endpoint is joined to the domain, it waits till it detects a domain to be joined. A userID is generated by computing the MD5 of a network interface MAC address, the domain name, and the registry value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid.

The backdoor uses a custom domain generation algorithm (DGA) to determine its Command and Control (C2) IP address. When communicating with the C2 server, the backdoor mimics legitimate SolarWinds OIP (Orion Improvement Program) communication.

Sunburst update() Method construct and resolve a subdomain of avsvmcloud[.]com then generate random subdomains. Subdomains are generated by userId an reversible encoding of the  local domain name, as given above most of the victim domains has been identified. Below patterns as used and concanated with the subdomains

• subdomain[.]appsync-api.us-west-1[.]avsvmcloud[.]com
• subdomain[.]appsync-api.us-east-1[.]avsvmcloud[.]com
• subdomain[.]appsync-api.eu-west-1[.]avsvmcloud[.]com
• subdomain[.]appsync-api.eu-east-1[.]avsvmcloud[.]com

C2

Once a domain has been resolved by a generated CNAME, DLL will start a new thread calling HttpHelper.Initialize to manage the C2 communication, HTTPHelper uses HTTP-GET or POST requests to communicate with C2 and getting commands. HTTP header is be set to “application/octet-stream” otherwise to “application/json” so that a JSON payload is shared between command server.

ExecuteEngine() function does main execution of commands sent by the server here are list of available commands

Exit	Terminate.
SetTime	Sets the delay time between main event loop
CollectSystemDescription	get local system information such as hostname, username, OS version, MAC addresses, IP address, etc.
UploadSystemDescription	Send system description via HTTP request
RunTask	Execute new process by given parameters
GetProcessByDescription	Get all or filter running process descriptions
KillTask	Terminate process given by PID
GetFileSystemEntries	Get list of files and directories
WriteFile	Open or append a file to write given content encoded Base64
FileExists	Check if file exists
DeleteFile	Delete file given as parameter
GetFileHash	Compute MD5 of a given file path
ReadRegistryValue	Read registry value
SetRegistryValue	Write to registry value
DeleteRegistryValue	Delete Registry value
GetRegistrySubKeyAndValueNames	Get the registry value
Reboot	Reboot the endpoint

Action on Objectives

The final step of APT is post intrusion activities like dropping payloads for privilege escalation, stealing data, lateral movement and persistence, upto now we have identified following payloads IoC : SHA1

• 1b476f58ca366b54f34d714ffce3fd73cc30db1a
• 2f1a5a7411d015d01aaee4535835400191645023
• 5e643654179e8b4cfe1d3c1906a90a4c8d611cea
• 75af292f34789a1c782ea36c7127bf6106f595e8
• 76640508b1e7759e548771a5359eaed353bf1eec
• d130bd75645c2433f88ac03e73395fba172ef676
• e1ebab8ed84dc10b95a1f68c812ecbf6d8f350f8
• ebe711516d0f5cd8126f4d53e375c90b7b95e8f2

All of them are either TEARDROP which is dropper and used in memory decoding Cobalt Strike Beacon  or Cobalt Strike Beacon  payload itself.  TEARDROP samples first reads a fake image file named “gracious_truth.jpg” and decode an embedded Cobalt Strike Beacon payload.

From here, any post-intrusion activities can begin including lateral movement, privilege escalation, accessing and stealing data, and establishing further persistence. Some of the lateral movement activities that is collected from the victims are reported by Microsoft and Volexity are given below: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

The attacker used PowerShell to create new tasks on remote machines:

$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done”

They also attempted this on a number of machines using schtasks.exe directly. For example:

C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

How Kernel-API Virtualization can eliminate Active Breach for SunBurst

Comodo’s Kernel API Virtualization technique is a unique protection technique for any type of Active Breach even with Supply-Chain type of attack that we saw in SolarWinds case. As stated above due to the exploit being distributed from the vendor itself, there is nothing much to do up until installation stage. The malicious code inside the legitimate application Orion will be executed anyway, it will create backdoor and start C2 communication to the backend systems. As above listed the communication also mimic as legitimate Orion communication pattern. It is almost impossible to detect the communication at that stage.

However when we came to the active breach stage where the attacker need to persist the attack and do lateral movement. He needs to employ other sources of malware like droppers, beacons, sniffers. In Solarwinds case, they have used TearDrop and Cobalt Strike Beacon for such purposes. There Comodo’s Default Deny and Zero Trust methodology eliminate such malicious code to be executed. Kernel API Virtualization, is a key to prevent and block Active Breach at Action on Objectives, we have introduced 5 main virtualization components that filters any relevant Kernel calls or callbacks. File System, Registry, Kernel Object, Service and DCOM/RPC are main virtualization components that runs both user and kernel mode and handle necessary interrupts and implement all necessary filter drivers to fulfill the requests. So any malicious code will not have unfettered access to the real operating system, privilege escalation or persistence wont be possible.

By our containment policies we also do not allow any unknown files to create socket for any type of network communication. Any file that triggers Kernel Virtualization will not be able to create socket or network communication, based on policies chosen. We don’t have to worry about decoding the protocols, identification of non-standard port usage or protocol tunneling, we simply deny all communication if the file is contained in our virtualization, and it will be contained till a final verdict is given from our Valkyrie File Verdict System. If the file is safe, then we allow it to create sockets for network communications. This makes us unique in where creating a C&C channel is not possible with any kind of Attack and evasion techniques stated above and also we eliminate lateral movement techniques such as using SMB or WMI to communicate with other endpoints or domain servers.

Here in this video, I have used all dropped files from Sunburst campaign, most of them are related by TearDrop and Cobalt Strike Beacon, there you can see only 2 of them are put into virtualization where the rest has been blocked immediately. The IoC: SHA1:395da6d4f3c890295f7584132ea73d759bd9d094 has been blocked after initial analysis in Containment and our Valkyrie File Verdict system where the other runs in containment, Kernel API virtualization eliminates any threat coming from those fikes.