Search
  • Rescana News Desk

SolarWinds Attack Report

Updated: Feb 26

A summary and recommendations for mitigation of the recent

SolarWinds Global Cyber Security Incident.


Executive Summary:


While investigating a recent attack on itself, security Provider FireEye Inc. discovered a backdoor in a solution provided to them by Texas based SolarWinds Inc. Once discovered FireEye proceeded to report the backdoor to SolarWinds and law enforcement.

The attackers are believed to of an Elite Russian Unit, and the attacks impact and sophistication is unprecedented. The estimated number of breach organizations as of today is 18,000.


Details:


1. Based on SolarWinds publication, the software which was abused was “Orion” versions 2019.4 HF 5, and 2020.2 with no hotfix, as well as with HF1.

2. FireEye has published IoC’s here (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) (also see “Indicators of compromise” below).

3. Microsoft has published IoC here (https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) (also see “indicators of compromise” below).

4. CISA, the DHS for Cyber Security has guided all Federal bodies to disconnect this product from the internet or shut it down.


Mitigation Recommendations (If you are using SolarWinds Orion):


1. Implement Firewall rules to disconnect the product from the internet completely (inbound and outbound).

2. Using EDR/SIEM, search for compromised servers using IOCs from “indicators of compromise” below.

3. Implement latest hotfix by SolarWinds (https://www.solarwinds.com/securityadvisory)




Indicators of compromise:


file_path_name,C:\windows\syswow64\netsetupsvc.dll,TEARDROP memory module used to drop Cobalt Strike Beacon

domain,avsvmcloud.com,malware/callhome

domain,freescanonline.com,malware/repository

domain,deftsecurity.com,malware/repository

domain,thedoccloud.com,malware/repository

domain,websitetheme.com,malware/repository

domain,highdatabase.com,malware/repository

domain,incomeupdate.com,malware/repository

domain,databasegalore.com,malware/repository

domain,panhardware.com,malware/repository

domain,zupertech.com,malware/repository

ip,98.225.248.37,C2 from Sophos MTR

ip,13.59.205.66,C2 malware/repository

ip,54.193.127.66,C2 malware/repository

ip,54.215.192.52,C2 malware/repository

ip,34.203.203.23,C2 malware/callhome

ip,139.99.115.204,C2 malware/callhome

ip,5.252.177.25,C2 malware/callhome

ip,5.252.177.21,C2 malware/callhome

ip,204.188.205.176,C2 malware/callhome

ip,51.89.125.18,C2 malware/callhome

ip,167.114.213.199,C2 malware/callhome

sha256,d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600,Troj/SunBurst-A.CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp

sha256,53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7,Mal/Generic-S.Solarwinds Worldwide LLC

sha256,019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134,Troj/Agent-BGGA.SolarWinds.Orion.Core.BusinessLayer.dll

sha256,ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6,Troj/Agent-BGGB.SolarWinds.Orion.Core.BusinessLayer.dll

sha256,32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77,Troj/Agent-BGFZ.SolarWinds.Orion.Core.BusinessLayer.dll

sha256,292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712,Mal/Generic-S.OrionImprovementBusinessLayer.2.cs

sha256,c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71,Troj/Agent-BGGC+Mal/Generic-S.app_web_logoimagehandler.ashx.b6031896.dll

sha256,019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134,Mal/Sunburst-A

sha256,ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6,Mal/Sunburst-A

sha256,32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77,Mal/Sunburst-A


For a full list please see - https://github.com/fireeye/sunburst_countermeasures






Sources:


1. https://www.solarwinds.com/securityadvisory

2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwindssupply-

chain-compromises-with-sunburst-backdoor.html

3. https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaignleverages-

software-supply-chain-compromise.html

4. https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trustcenter/

resources/secure-configuration-in-the-orionplatform.

ashx?rev=32603e0c87d84085b081f99a33fe5f4d&hash=62A998B9753957D82BC0F070

05D38368

5. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyberattacks/

6. https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwindssoftware

7. https://github.com/fireeye/sunburst_countermeasures

8. https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release




Rescana specializes in Cyber Security Risk Management and is here to help you learn about your organization and it's third parties cyber security risks. Rescana gives it's customers unparalleled visibility, and all the automation needed to quickly find misconfigurations and vulnerabilities and then root them out. We provide The first Adaptive cyber risk management platform on the market, which allows you to customize the assessment to be based on your own policy.


183 views