SolarWinds Backdoor Supply Chain Attack

Posted by Author Vivek Chanchal on Posted on

On December 8, 2020, FireEye disclosed the theft of their Red Team assessment tools. FireEye has confirmed that the attack leveraged trojanized updates to the SolarWinds Orion platform, which is used by organizations to monitor and manage IT infrastructure. Communications at U.S.Treasury and Commerce Departments were also compromised by a highly skilled manual supply chain attack on SolarWinds that allowed hackers to compromise the networks of public and private organizations.

On December 12, 2020, FireEye provided detailed information on this widespread attack campaign tracked as UNC2452. They discovered this supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware named SUNBURST. SolarWinds.Orion.Core.BusinessLayer.dll is a digitally-signed component of the Orion software by SolarWinds which contains a backdoor that communicates via HTTP to third-party servers.

Description:

Multiple trojanzied and malicious updates were digitally signed between March-May 2020 and were uploaded to SolarWinds updates website, including https://downloads.solarwinds.com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

While updating the application, the embedded backdoor code loads and executes before the execution of legitimate code. Organizations tend to believe that no malicious activity has occurred and the program or application dependent on the libraries is behaving normally as expected. The attackers compromise the signed libraries that use the digital certificates of target companies, attempting to evade application and control technologies.

Once the update is installed, the malicious DLL gets loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe in the following path using a folder with different names:

  • SolarWinds Orion installation folder %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
  • The .NET Assembly cache folder %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll

After a period of up to two weeks, the malware attempts to resolve a subdomain of avsvmcloud.com. The DNS response returns a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. It retrieves and executes commands, called Jobs, that has the ability to transfer and execute files, profile the system, and disable system services. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers and can prepare possible second-stage payload and move laterally in the organization, and compromise or exfiltrate data.

Microsoft detects this implant and its other components as Solorigate. Microsoft Defender antivirus provides detections for threat components under Trojan: MSIL/Solorigate.B!dha.

Below are some of the observed malicious instances of SolarWinds.Orion.Core.BusinessLayer.dll and their hashes listed by Microsoft.

Image Source: FireEye
SHA256   File Version Date
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 2019.4.5200.9083 March 2020
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 2020.2.100.12219 March 2020
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed 2020.2.100.11831 March 2020
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 Not available March 2020
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 2020.4.100.478 April 2020
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2020.2.5200.12394 April 2020
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2020.2.5300.12432 May 2020
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 2019.4.5200.8890 October 2019
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af 2019.4.5200.8890 October 2019

Affected Products:

Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:

  • Application-Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

Mitigation:

SolarWinds has released a security advisory mentioning hotfix for customers and asking them to upgrade to Orion Platform version 2020.2.1 HF 1 and products with Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6 as soon as possible. An additional hotfix release that replaces the compromised component and provides several additional security enhancements is expected to be made available Tuesday, December 15.

Detection:

Qualys customers can scan their network with QID374560 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References:

https://www.solarwinds.com/securityadvisory
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Leave a Reply

Your email address will not be published. Required fields are marked *