SolarWinds/Orion Compromise – Immediate Action Recommended:

In light of the SolarWinds compromise, Optiv recommends taking the following steps to help reduce exposure:

Per SolarWinds, known affected products are: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:

• SolarWinds asks customers with 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1 as soon as possible to reduce the exposure of your environment. This version is currently available at customerportal.solarwinds.com.
  • Guidance from SANS
• If vulnerable, and not business critical, remove it from the network, create an offline backup of the database, and shut it down as soon as possible.
• If business critical, follow all guidance for patching / upgrading / remediation. Consider implications of leaving this function on the network.
  • DHS advisory
  • SolarWinds advisory
  • Microsoft guidance
  • FireEye guidance
• Put countermeasures and compensating controls in place. FireEye has released countermeasures here.
• If you need help, please contact your Optiv representative.

SolarWinds announced today that its product was allegedly used to breach multiple high-profile organizations. One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach its network.

Attackers appear to have compromised SolarWinds early in 2020, adding a back door to a key SolarWinds library. This modified library was delivered to selected SolarWinds customers via the company’s normal update process. 

Attackers would then be able to enable/disable security tools, change configurations, load unauthorized patches or prevent patches from being applied, among other things.

At this point, a list of organizations selected during the attack is not public.

Currently, the following names are used to describe the attack:

• Microsoft labeled the attack "Solarigate" in Windows Defender.
• FireEye refers to the backdoor as SUNBURST. The campaign is tracked as UNC2452.

What you should consider doing at this point –

• Verify if you are running 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1 and if so, assert which networks are managed by it (likely all or most of your network)
• CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8] Immediately
• Quick check for the following indicators:
  • Is the filename SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
  • if so, the malicious version uses this Singer and SingerHash:
  • "Signer": "Solarwinds Worldwide LLC"
  • "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"
    • the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
• Check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs)
• Block all hashes and signers associated with the threat within the endpoint security suite and push an enterprise update to all endpoints and other security controls  – See indicator list below
• Block the solarwinds.com domain within your web gateway solution with a wildcard rule to ensure no continued access is possible
• Assume any and all associated credentials are compromised – 
  • Change the passwords of any accounts (including service accounts) affected agents were running under to new, unique passwords
  • Change any secrets or access keys accessible by the affected service accounts and potentially compromised infrastructure such as encryption keys, API keys, credentials or other information that could be used to access other systems
• Ensure any “gold images”, containers or system templates that contained the solarwinds agent or received the solarwinds agent through orchestrated build processes are updated and have the affected agent removed
• Ensure any security tools such as AV, EDR, patching, software distribution or application control tools have not been disabled on affected hosts.
• Review the following activity in the environment to identify any additional compromises:
• Review the activity associated with any accounts (including service accounts) used by the Solarwinds platform
• Review any login activity originating from the Solarwinds platform in the environment for malicious activity
• Review all command executions on the Solarwinds platform and any files updated/created or removed by the agents
• Review any users created between the period of compromise to the current date that cannot be accounted for
• Review all outbound activity associated with the affected infrastructure including web traffic, DNS and ICMP for suspicious activity. At a minimum look for activity associated with the *.solarwinds.com domain
• Review all downloads within your environment associated with the solarwinds.com domain within the last 12 months
• Review endpoint activity enterprise wide for any of the associated hashes, filenames, or other published indicators
• Block access to any endpoints for remote access in your environment to ensure updates are in place and the endpoints are protected before connecting to corporate networks
• Review activity associated with the updating, disabling or unauthorized modifications to the security settings
• Going forward validate the authenticity of any software before deployment in the environment:
  • Verify signatures to ensure they are valid and signed with the correct signing authority
  • Only download software from trusted sources
  • Validate the signatures and hashes associated with
  • Only download updates over HTTPS
  • Scan any downloaded updates or installers with up-to-date anti-virus software
• Deploy rules within your environment to elevate indicators and tactics associated with this threat to the highest level in the event indicators are identified.
  • Perform additional monitor any affected accounts for the near-term
  • Repeat the associated steps daily too ensure all threats are addressed.
  • Review new endpoints as they check into to endpoint management and security solutions to ensure the most current updates are verified

Indicators:

IOCs from Microsoft's report:

• several malicious DLLs where identified
  • Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
    
    Sha1: 76640508b1e7759e548771a5359eaed353bf1eec
    
    File Size: 1011032 bytes
    
    File Version: 2019.4.5200.9083
    
    Date first seen: March 2020
  • Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
    
    Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
    
    File Size: 1028072 bytes
    
    File Version: 2020.2.100.12219
    
    Date first seen: March 2020
  • Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
    
    Sha1: e257236206e99f5a5c62035c9c59c57206728b28
    
    File Size: 1026024 bytes
    
    File Version: 2020.2.100.11831
    
    Date first seen: March 2020
  • Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
    
    Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
    
    File Size: 1026024 bytes
    
    File Version: not available
    
    Date first seen: March 2020
  • Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
    
    Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
    
    File Size: 1029096 bytes
    
    File Version: 2020.4.100.478
    
    Date first seen: April 2020
  • Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
    
    Sha1: 2f1a5a7411d015d01aaee4535835400191645023
    
    File Size: 1028072 bytes
    
    File Version: 2020.2.5200.12394
    
    Date first seen: April 2020
  • Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
    
    Sha1: d130bd75645c2433f88ac03e73395fba172ef676
    
    File Size: 1028072 bytes
    
    File Version: 2020.2.5300.12432
    
    Date first seen: May 2020
• the malicious DLLs connect to infrastructure using the avsvmcloud.com domain.

[1] https://twitter.com/razhael/status/1338267165221396480/photo/1

[2] https://twitter.com/cyb3rco0kie/status/1338276872333889537?s=21

[3] https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818

[4] https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832

[5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132

[6] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[7] https://github.com/fireeye/sunburst_countermeasures

[8] https://cyber.dhs.gov/ed/21-01/