SolarWinds SUNBURST backdoor assessment
Executive Summary
- FireEye discovered a global supply chain attack trojanizing the SolarWinds Orion Platform with a backdoor that FireEye named SUNBURST.
- Affected versions: SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 (with no hotfix installed), 2020.2 HF 1.
- Fixed version: SolarWinds Orion Platform version 2020.2.1 HF 2.
- While the trojanized SolarWinds Orion Platform versions have been spread widely to public and private organizations around the world, current information indicates that the SUNBURST backdoor was used for espionage by a nation state and only used to infiltrate a select set of victims. Other victims that installed the trojanized SolarWinds Orion Platform versions are collateral damage.
- To figure out if you are affected (beyond checking installed SolarWinds Orion Platform versions) check DNS logs for queries to
avsvmcloud[.]com
or.digitalcollege[.]org
(including subdomains!). - Hornetsecurity is not affected. Hornetsecurity does not use SolarWinds products.
- Because this is an ongoing global incident check the linked resources for up-to-date IoCs and information.
Summary
On 2020-12-13 FireEye disclosed a backdoor in updates of the SolarWinds Orion Platform. Affected organizations should update to the fixed version immediately.
The backdoor is part of a global espionage operation and used to access government and high profile private company networks.
Hornetsecurity assessed its own situation and is not affected.
Background
The SolarWinds Orion Platform is the market leader for network monitoring platforms with SolarWinds having over 275.000 customers in 190 countries and providing network monitoring for 400 of the Fortune 500, the US government and other high profile organizations.
On 2020-12-13 FireEye disclosed that the SolarWinds Orion Platform updates between 2020-03-01 and 2020-06-01 have been trojanized with what they called the SUNBURST backdoor.3 Previously on 2020-12-08 FireEye disclosed a breach of its own organization,2 for which it later identified the trojanized SolarWinds Orion Platform update as the intrusion vector.
FireEye attributes this intrusion to an yet unknown threat actor they are tracking as UNC2452. While many media outlets report this intrusion as attributed to APT29, we believe this to be incorrect as APT29 is threat actor designator by FireEye themselves but yet they have not attributed it directly to APT29, yet.
On 2020-12-14 SolarWinds has published a security advisory1 regarding the matter.
Technical Analysis
The backdoor is in SolarWinds.Orion.Core.BusinessLayer.dll
of the SolarWinds Orion Platform software installation. After installation the backdoor waits a randomly selected amount between 12 to 14 days before executing its malicious code. It tries to establish C2 communication using a domain name generation algorithm (DGA) to <ENCODED VICTIM HOSTNAME>.appsync-api.{eu,us}-{west,east}-{1,2}.avsvmcloud[.]com
. The <ENCODED VICTIM HOSTNAME>
subdomain part contains the victims encoded hostname. It can be decoded using a tool provided by RedDrip7.7
Subdomain records corresponding to victim hostnames targeted by the intrusion received a CNAME DNS response redirecting them to one of the C2 domains. Victims not targeted did not receive a dedicated CNAME.6 Even though this is a large scale supply chain attack, current information indicates that the purpose behind the intrusion is espionage conducted by a nation state. This means that while (according to SEC filings by SolarWinds8) around 18,000 victims installed the compromised updates, only a very small fraction was actually the target of this attack, the rest is collateral damage.
On targeted organizations, the backdoor is used as a beach head into the organization’s network, by installing the TEARDROP and BEACON (from Cobalt Strike framework) malware to further infiltrate the network.
Conclusion and Countermeasures
Unlike the supply chain attack against the Ukrainian tax accounting package M.E.Doc, which resulted in the 2017 global NotPetya incident, this intrusion’s goal was espionage. Hence only networks of selected targets were intruded via the SUNBURST backdoor planted through the compromised SolarWinds Orion Platform software.
Organisations that have installed an affected SolarWinds Orion Platform version should treat all hosts monitored by the SolarWinds Orion Platform as compromised, identify all threat actor-controlled accounts and infrastructure within the organization and remove them, and only then rebuild the SolarWinds Orion Platform installation. Organizations with elevated protection requirements can follow the guidance in the DHS Emergency Directive 21-014 (obviously without reporting to CISA, unless the organization is part of the US government).
A good starting point to identify threat actor activity is searching for the IoCs provided by FireEye3,5 in DNS logs. In case DNS queries to one of the <ENCODED VICTIM HOSTNAME>.appsync-api.{eu,us}-{west,east}-{1,2}.avsvmcloud[.]com
subdomains are found, you can use the SunBurst DGA Decoder provided by RedDrip77 to figure out which hostname in your network ran the SUNBURST backdoor code. In case you find CNAME replies to these DNS queries, this means in addition to running the backdoor code, the threat actors are/were interested in the host and elevated the connection to a full C2 connection. In the later case, we recommend contacting a competent incident response provider immediately.
We applaud our colleagues from FireEye for their thorough investigations.
References
- 1 https://www.solarwinds.com/securityadvisory
- 2 https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
- 3 https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- 4 https://cyber.dhs.gov/ed/21-01/
- 5 https://github.com/fireeye/sunburst_countermeasures
- 6 https://twitter.com/craiu/status/1339265612510588932
- 7 https://github.com/RedDrip7/SunBurst_DGA_Decode
- 8 https://investors.solarwinds.com/financials/sec-filings/
Indicators of Compromise (IoCs)
For a full list of IoCs and detection signatures, please see the countermeasures published by FireEye: https://github.com/fireeye/sunburst_countermeasures
DNS
.avsvmcloud[.]com
.appsync-api.eu-west-1[.]avsvmcloud[.]com
.appsync-api.us-west-2[.]avsvmcloud[.]com
.appsync-api.us-east-1[.]avsvmcloud[.]com
.appsync-api.us-east-2[.]avsvmcloud[.]com
.digitalcollege[.]org
Known indicators as of 2020-12-16 only! Please, check linked resources for up-to-date information.