SunBurst APT Against Solarwinds, mapped to Kill Chain
Table of Contents
The details of the attack on FireEye have been revealed. The US Department of Homeland Security has issued an Emergency Directive regarding a backdoor in SolarWinds Orion products. Multiple victims were infected with the same attack. Fireeye published evidence that this campaign may have started in March 2020, and could have affected up to 18,000 organizations worldwide.
Now, the campaign known as “SUNBURSTSolorigate” is a targeted and sophisticated APT. Supply Chain Attack is a type of attack where attackers may have compromised Solarwinds development and build system to inject malicious codes into their legitimate product, Orion. The attack vector is delivered and installed by the injected code. Microsoft published a visualization of the infection chain: security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
I would like to map the attack phases to the kill chains, and describe each stage in detail. Also, how Comodo’s Kernel API-Virtualization technology will protect organizations from Active Breach.
Although it is not clear what information was gathered against Solarwinds prior to the attack, there are some posts about Solarwinds’ FTP credentials being leaked. However, it is clear that Solarwinds will need to use a large number of attack vectors to plant such an attack. This APT is known as Supply-Chain attack, and distributed via patch packs. It’s possible that attackers may have entered the development process to introduce the backdoor.
Group-IB and other sources claim that fxmsp was the first intruder to Solarwinds network. This is based on their posts on Exploit Forum in 2017. They tried to sell Solarwinds access to their machines.
This attack was not able to weaponize a zero-day vulnerability, according to our knowledge. The delivery method was compromised by SolarWinds Orion product, which is an infrastructure management and monitoring platform for IT administrators. The attackers infiltrated into Orion business software updates and distributed properly digitally signed backdoor code into one of its legitimate core DLL : SolarWinds.Orion.Core.BusinessLayer.dll file. At this point, we don’t know much about “Weaponization steps”. I tried to list the facts and possible scenarios.
This attack used the Supply-Chain delivery method. The malicious code was distributed via SolarWinds Orion Core DLL to various victims. Multiple malicious updates were digitally signed from March – May 2020 and posted to the SolarWinds updates website such as: hxxps://downloads.solarwinds[. ]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp.
After the victim’s systems have applied the patch, the following files were extracted from the appropriate Solarwinds folder.
SolarWinds.Orion.Core.BusinessLayer.dll has the main actor for the delivery, which is a backdoor code, that communicates back to C2 servers, reports the targeted domain, processes, endpoint protection systems etc. The attacker then decides if the target is a suitable candidate to initiate the exploit. Here is Pervasio’s list, which is based on C2 DGA. The victim domain is embedded in subdomain of the main C2 domain [.]avsvmcloud[.]. ]com 2020/12/sunburst-backdoor-part-ii-dga-list-of.html
As you can see, the targets come from many different verticals, including government, hospitals, and banks.
hgvc.comHilton Grand VacationsAmerisafAMERISAFE, Inc.kcpl.comKansas City Power and