A summary and recommendations for mitigation of the recent
SolarWinds Global Cyber Security Incident.
Executive Summary:
While investigating a recent attack on itself, security Provider FireEye Inc. discovered a backdoor in a solution provided to them by Texas based SolarWinds Inc. Once discovered FireEye proceeded to report the backdoor to SolarWinds and law enforcement.
The attackers are believed to of an Elite Russian Unit, and the attacks impact and sophistication is unprecedented. The estimated number of breach organizations as of today is 18,000.
Details:
1. Based on SolarWinds publication, the software which was abused was “Orion” versions 2019.4 HF 5, and 2020.2 with no hotfix, as well as with HF1.
2. FireEye has published IoC’s here (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) (also see “Indicators of compromise” below).
3. Microsoft has published IoC here (https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) (also see “indicators of compromise” below).
4. CISA, the DHS for Cyber Security has guided all Federal bodies to disconnect this product from the internet or shut it down.
Mitigation Recommendations (If you are using SolarWinds Orion):
1. Implement Firewall rules to disconnect the product from the internet completely (inbound and outbound).
2. Using EDR/SIEM, search for compromised servers using IOCs from “indicators of compromise” below.
3. Implement latest hotfix by SolarWinds (https://www.solarwinds.com/securityadvisory)
Indicators of compromise:
file_path_name,C:\windows\syswow64\netsetupsvc.dll,TEARDROP memory module used to drop Cobalt Strike Beacon
domain,avsvmcloud.com,malware/callhome
domain,freescanonline.com,malware/repository
domain,deftsecurity.com,malware/repository
domain,thedoccloud.com,malware/repository
domain,websitetheme.com,malware/repository
domain,highdatabase.com,malware/repository
domain,incomeupdate.com,malware/repository
domain,databasegalore.com,malware/repository
domain,panhardware.com,malware/repository
domain,zupertech.com,malware/repository
ip,98.225.248.37,C2 from Sophos MTR
ip,13.59.205.66,C2 malware/repository
ip,54.193.127.66,C2 malware/repository
ip,54.215.192.52,C2 malware/repository
ip,34.203.203.23,C2 malware/callhome
ip,139.99.115.204,C2 malware/callhome
ip,5.252.177.25,C2 malware/callhome
ip,5.252.177.21,C2 malware/callhome
ip,204.188.205.176,C2 malware/callhome
ip,51.89.125.18,C2 malware/callhome
ip,167.114.213.199,C2 malware/callhome
sha256,d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600,Troj/SunBurst-A.CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
sha256,53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7,Mal/Generic-S.Solarwinds Worldwide LLC
sha256,019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134,Troj/Agent-BGGA.SolarWinds.Orion.Core.BusinessLayer.dll
sha256,ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6,Troj/Agent-BGGB.SolarWinds.Orion.Core.BusinessLayer.dll
sha256,32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77,Troj/Agent-BGFZ.SolarWinds.Orion.Core.BusinessLayer.dll
sha256,292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712,Mal/Generic-S.OrionImprovementBusinessLayer.2.cs
sha256,c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71,Troj/Agent-BGGC+Mal/Generic-S.app_web_logoimagehandler.ashx.b6031896.dll
sha256,019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134,Mal/Sunburst-A
sha256,ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6,Mal/Sunburst-A
sha256,32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77,Mal/Sunburst-A
For a full list please see - https://github.com/fireeye/sunburst_countermeasures
Sources:
1. https://www.solarwinds.com/securityadvisory
2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwindssupply-
chain-compromises-with-sunburst-backdoor.html
3. https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaignleverages-
software-supply-chain-compromise.html
4. https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trustcenter/
resources/secure-configuration-in-the-orionplatform.
ashx?rev=32603e0c87d84085b081f99a33fe5f4d&hash=62A998B9753957D82BC0F070
05D38368
5. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyberattacks/
6. https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwindssoftware
7. https://github.com/fireeye/sunburst_countermeasures
Rescana specializes in Cyber Security Risk Management and is here to help you learn about your organization and it's third parties cyber security risks. Rescana gives it's customers unparalleled visibility, and all the automation needed to quickly find misconfigurations and vulnerabilities and then root them out. We provide The first Adaptive cyber risk management platform on the market, which allows you to customize the assessment to be based on your own policy.
Comments