On December 8, 2020, FireEye disclosed the theft of their Red Team assessment tools. FireEye has confirmed that the attack leveraged trojanized updates to the SolarWinds Orion platform, which is used by organizations to monitor and manage IT infrastructure. Communications at U.S.Treasury and Commerce Departments were also compromised by a highly skilled manual supply chain attack on SolarWinds that allowed hackers to compromise the networks of public and private organizations.
On December 12, 2020, FireEye provided detailed information on this widespread attack campaign tracked as UNC2452. They discovered this supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware named SUNBURST. SolarWinds.Orion.Core.BusinessLayer.dll is a digitally-signed component of the Orion software by SolarWinds which contains a backdoor that communicates via HTTP to third-party servers.
Multiple trojanzied and malicious updates were digitally signed between March-May 2020 and were uploaded to SolarWinds updates website, including https://downloads.solarwinds.com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp
While updating the application, the embedded backdoor code loads and executes before the execution of legitimate code. Organizations tend to believe that no malicious activity has occurred and the program or application dependent on the libraries is behaving normally as expected. The attackers compromise the signed libraries that use the digital certificates of target companies, attempting to evade application and control technologies.
Once the update is installed, the malicious DLL gets loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe in the following path using a folder with different names:
- SolarWinds Orion installation folder %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
- The .NET Assembly cache folder %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
After a period of up to two weeks, the malware attempts to resolve a subdomain of avsvmcloud.com. The DNS response returns a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. It retrieves and executes commands, called Jobs, that has the ability to transfer and execute files, profile the system, and disable system services. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers and can prepare possible second-stage payload and move laterally in the organization, and compromise or exfiltrate data.
Microsoft detects this implant and its other components as Solorigate. Microsoft Defender antivirus provides detections for threat components under Trojan: MSIL/Solorigate.B!dha.
Below are some of the observed malicious instances of SolarWinds.Orion.Core.BusinessLayer.dll and their hashes listed by Microsoft.
|c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77||Not available||March 2020|
Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:
- Application-Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SCM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
SolarWinds has released a security advisory mentioning hotfix for customers and asking them to upgrade to Orion Platform version 2020.2.1 HF 1 and products with Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6 as soon as possible. An additional hotfix release that replaces the compromised component and provides several additional security enhancements is expected to be made available Tuesday, December 15.
Qualys customers can scan their network with QID374560 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.