Solarigate/SUNBURST

Joel Bork, Senior Threat Hunter and Cybersecurity Consultant

IronNet Cybersecurity

IronNet Proprietary and Confidential

1
 What made this incident so widespread?
• Nation-state actors injected malicious code into
the SolarWinds Orion DevOps build cycle.
• This is believed to have been downloaded by over 18,000
organizations.
• Solarwinds.Orion.Core.BusinessLayer.dll
• OrionImprovementBusinessLayer is the name of the
class that was used by the attackers and where
they inserted the backdoor.

microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-
defender-helps-protect/

2 IronNet Proprietary and Confidential

 What made this incident so unique and pervasive?
Expert Level Evasion Techniques
• SUNBURST was properly signed (not a self-signed cert). The domain was also
registered over a year ago.
• DLL ran checks to make sure that it had not been changed within 12-14 days
• Making sure it wasn’t executed:
• At SolarWinds
• In a sandbox
• By security tools
• It will then execute at a random time (up to two weeks, typically after a
restart). THEN:
• Pulls a full process list
• Checks for endpoint security tools and installed drivers
• Kaspersky, Tanium, LogRhythm, SentinelOne, Cybereason, etc.
• It will also attempt to disable security tools via the service registry entry
• CrowdStrike, Carbon Black, FireEye, etc.

3 IronNet Proprietary and Confidential

 C2 Communications
If all the SUNBURST checks are passed:
• The backdoor will then reach out to its C2 coordinator to get further details for
its C2 server
• Here is where the infamous domain avsvmcloud[.]com and its DGA (Domain
Generation Algorithm) come into play.

Is this really DGA?

Let’s check the MITRE ATT&CK Framework.

4 IronNet Proprietary and Confidential

5
 DGA

6 IronNet Proprietary and Confidential

 SUNBURST DNS Tunneling
Tunneled Data in Subdomain Label Static Domain

7 IronNet Proprietary and Confidential

 What does it look like pieced together?

8 IronNet Proprietary and Confidential

 IronNet’s Behavioral Detections

9 IronNet Proprietary and Confidential

 The Aftermath: SUPERNOVA (12/21/2020)
• This vulnerability was patched in the latest release
• Was a sophisticated web shell that executed memory in C# payloads
• Typically, web shells operate as interpreted script pages
(JavaScript, php, etc.) which would execute commands in the
context of the runtime environment by using bash, cmd.exe.,
PowerShell, etc.
• This is executed in memory leaving no artifacts on the disk and no
additional network callbacks.

https://www.bleepingcomputer.com/news/security/new-supernova-backdoor-found-in-solarwinds-cyberattack-analysis/

10 IronNet Proprietary and Confidential

 The Aftermath: Sunspot (1/11/2021)
The malware that is used to insert the SUNBURST backdoor into the
SolarWinds Orion software build.
• Monitors processes every second for those involved in compilation
and then replaces a source file.
• Persisted using scheduled tasks
• Use of AES128-CBC to protect source code
• #pragma statements used to disable and restore warnings/logging
• Tamper-proof MD5 hash checks

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

11 IronNet Proprietary and Confidential

 The
Aftermath
Continues:

12 IronNet Proprietary and Confidential

 Other Items of Interest
• FBI is investigating JetBrains and its product TeamCity, which may
have played a role in granting access into SolarWinds. (unconfirmed)
• CISA also mentioned the use of forged authentication tokens to move
laterally into Microsoft Azure cloud environments.
• Using privileged access, attackers have been seen pivoting to less
privileged accounts (service accounts)
• Difficult to detect persistence:
• CISA's Sparrow
• Open-source utility Hawk
• CrowdStrike's Azure Reporting Tool (CRT)

13 IronNet Proprietary and Confidential

 The Industry Recommendations
• The Nuclear Option: Turn it all off and rip it out (the advice I have
heard the most)
• Perform a complete investigation/Incident Response
• Check for the indicators
• Add those indicators into your firewall
• Update:
• Antivirus
• Endpoint protection systems
• Manually search for any SAML abuse
• Remediate with results

14 IronNet Proprietary and Confidential

 IronNet Recommendations
• Review your log retention policy: 6-9 months is no longer sufficient.
• Create a culture of testing updates from a security perspective and not just
a functionality perspective while performing audits on update behaviors in
prod.
• Scrutinize updates from organizations who were compromised by
SUNBURST. Ask questions!
• While responding to this incident, look forward to the future:
• Understand your network and implement Behavioral Network Analytics
to assist in finding these TTPs
• Work together towards a better tomorrow through Collective Defense

15 IronNet Proprietary and Confidential

 "Neither government nor the private sector can
defend our networks alone; they have to work
together."

-Richard Clarke

16 IronNet Proprietary and Confidential