SUNBURST: A Vital Case Study of Supply Chain Attack
Satyam Dubey December 28, 2020 Threat Intelligence
SolarWinds is an American company that provides IT management and administration software that can be used by the Sysadmins and IT administrators in their organization. The reach of the SolarWinds Products is quite high and their products are used by many fortune-500 companies, spreading across the globe.
What is Supply Chain Attack:
Supply Chain Attack is a type of attack in which adversaries can modify the product provided by third-party associates in various ways to compromise multiple targets. The below image provides a visualization of the definition of the supply chain attack.
SoloriGate/Sunburst: SolarWinds Supply Chain Attack
SolarWinds supply chain attack first came into the radar of the information security communities when Fireeye was found affected by this supply chain attack. Fireeye was very open & transparent about getting breached in this supply chain attack. Fireeye has been tracking the threat actors behind this global intrusion campaign as UNC2452. There was not much damage done to the organization as only their Red Assessment Tools were leaked in the whole scenario. Fireeye Reported that the tools which were stolen by the attackers did not contain zero-day exploits. Many other big organizations like Microsoft, VMware as well as US Government agencies like the US Department of State, Department of Homeland Security, and many more were found breached by this supply chain attack.
Technical Analysis of the SoloriGate Attack:
SolarWinds was reportedly breached first and the reason was most likely the weak password they were using for one of their access/update servers. The threat actors involved in this global intrusion campaign targeted multiple victims using infected SolarWinds Orion IT management & monitoring software updates. Note that most of the analysis that has been demonstrated in this blog is based on Microsoft's and Fireeye’s Blog.
The infectious update was delivered as a Microsoft standard Windows Installer Patch file (SolarWinds-Core-v2019.4.5220-Hotfix5) which included the malicious DLL (Dynamic Link Library) named as SolarWinds.Orion.Core.BusinessLayer.dll which acts like a backdoor on the Attack Surface. The infected SolarWinds Orion IT management & monitoring software update and DLL was digitally signed and due to which it was highly evasive on the attack surface.
Figure: Digital Signature Details of Patch File
Figure: Digital Signature Details of SolarWinds.Orion.Core.BusinessLayer.dll
In order to know the internal working of the Sunburst/SolariGate Malware let’s decompile the malicious SolarWinds.Orion.Core.BusinessLayer.dll. The Malware samples related to the Sunburst attack can be found here.
In order to analyze the dll, open the file named under the directory APT_Backdoor_SUNBURST “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” (Which is basically named after the SHA256 hash of the SolarWinds.Orion.Core.BusinessLayer.dll) in the dnSpy. The infected code was found under the namespace “SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory” and more specifically in the “InventoryManager” class.
Image: Decompilation of Malicious DLL.(Identifying the BackgroundInventory Namespace)
Image: Decompilation of Malicious DLL (Going through the InventoryManager Class under the Namespace)
Now this class has a “RefershInternal()” method that creates a new thread which calls the Malicious OrionImprovementBusinessLayer class where all the backdoor magic happens.
Image: Analyzing the RefreshInternal Method
The image below sums up the flow of the infected SolarWinds.Orion.BusinessLayer.dll.
Image: Malicious DLL process flow diagram
To be more evasive on the attack surface the malware code in the DLL runs various checks to make sure that it is not being analyzed using some programs. That is why, hash of the processes, services and drivers on windows is calculated and checked with the blacklisted hashes of the same, and if none of the blacklisted hashes are found on the system then only backdoor code gets activated.
Adversaries in this case used DGA (Domain Generation Algorithms) to dynamically build and resolve the subdomain of avsvmcloud.com. The C2 domain consist of two static and two variable parts which is illustrated in the image below.
Image Source: Microsoft
After the malware has made a successful connection to the C2 server the SoloriGate malware performs the primitive lateral movement, credential abuse, and privilege escalation techniques for further infrastructure exploration.
The image below from Microsoft illustrates the whole process of SoloriGate Malware infection.
Image Source: Microsoft
According to Microsoft the threat actors are targeting to steal the SAML token signing certificates, using which attackers can easily forge the SAML tokens and access the resources.
Here is the elaborated descriptive blog post about the SolariGate identity IOC’s.
Defense against SUNBURST/SoloriGate:
- Fireeye Team uploaded a List of IOC’s and signatures which can be used by organizations for identifying the backdoor. The GitHub repository of Fireeye countermeasures can be found here.
- It is also recommended by SolarWinds to go through this advisory page and also upgrade their Orion platform to Orion Platform release 2020.2.1 HF 1.
- MITRE ATT&CK Techniques related to SolariGate/SUNBURST:
|T1027||Obfuscated Files or Information|
|T1071.004||Application Layer Protocol: DNS|
|T1083||File and Directory Discovery|
|T1105||Ingress Tool Transfer|
|T1195.002||Compromise Software Supply Chain|
|T1518.001||Security Software Discovery|
|T1568.002||Domain Generation Algorithms|
This SolarWinds Supply Chain Attack is surely raising the eyebrows of people in the IT industry and also outside the IT industry. Right from STUXNET to NotPetya we have seen many supply chain attacks that were found devastating. In 2017-18 NotPetya was found to have cost 10 Billion Dollars in damages. The evasive Behaviour of the attack made it so hard to be identified in the wild. Currently, SolarWinds Orion Platform is used by 300,000 customers and out of which 18,000 have downloaded the malicious update.
I hope this blog provided you with a better view of the SoloriGate and SUNBURST attack.