I’m sure you’ve seen the headlines regarding the SolarWinds hack. SolarWinds is a company that makes tools network guys use to run things, and they now find themselves at the center of a massive breach targeting federal agencies.
The SolarWinds product that was compromised was their Orion solution stack. This software is used by large enterprises to monitor and run EVERYTHING.
The background to this attack is fascinating, so here is a look into some of the nuts and bolts of what happened:
- An attacker was able to embed a malicious payload dubbed SUNBURST into a file that is part of SolarWinds enterprise level Orion network management suite. The payload was trojan that was embedded into a September update package.
- The file was signed by SolarWinds so it was allowed by network policies and antivirus tools.
- Once the payload launches the beacon goes dormant for a period of up to two weeks, then it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
- The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate configuration files allowing it to blend in with legitimate SolarWinds activity.
- The backdoor uses multiple obfuscated lists to identify forensic and anti-virus tools running as processes, services, and drivers and disable them.
- Multiple SUNBURST samples have been recovered, delivering different payloads.
- In at least one instance the attackers deployed a previously unseen memory-only dropper.
- TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PreExecution-like file format. TEARDROP does not have code overlap with any previously seen malware. Because all this happens in memory and looks different in every instance it easily bypasses anti-virus.
- The actor sets the names on their computers to match a legitimate computer name found within the victim’s environment.
- The attacker’s choice of IP addresses was optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim.
- Once the attacker gained access to the network with compromised credentials, they moved laterally throughout the network using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access showing the sophistication used to avoid detection.
- The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate file with theirs, executed their payload, and then restored the legitimate original file.
- They similarly manipulated scheduled tasks in the computer by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration.
- They expertly covered their tracks by routinely removing their tools, including removing backdoors once legitimate remote access was achieved.
- All activity was conducted with a high regard for operational security. In many cases a dedicated virtual infrastructure was spun up for each intrusion.
- Experts believe the skills needed to do all this point to a nation-state actor due to the level of operational security observed in this cyber attack, focusing on evasion and leveraging trusted tools and systems.
You can read more at: