ANNOUNCEMENT

Highly Elusive Attackers Leverage SolarWinds Supply Chain to Compromise Victims With SUNBURST Backdoor

Introduction

A recent breach involving a cybersecurity firm FireEye has uncovered a widespread campaign by an uncategorised advanced persistent threat actor tracked as UNC2452 by FireEye. The actors behind this campaign have gained access to numerous public and private organisations around the world via trojanised updates to SolarWinds’ Orion IT monitoring and management software.

Impact

Information leakage, information exposure.

Brief Description

This campaign may have begun as early as March 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly-skilled actor and the operation was conducted with significant operational security. The tactic used by the attackers allows them to gain access to network traffic management systems.

Affected Products

SolarWinds' Orion Platform versions 2019.4 through 2020.2.1 HF1.

System Affected

Indicator of Compromise (IoC)

Affected Files:

  1. SolarWinds.Orion.Core.BusinessLayer.dll with a file hash of [b91ce2fa41029f6955bff20079468448];
  2. SolarWinds.Orion.Core.BusinessLayer.dll with MD5 hash value [846e27a652a5e1bfbd0ddd38a16dc865];
  3. SolarWinds.Orion.Core.BusinessLayer.dll with MD5 hash value [2c4a910a1299cdae2a4e55988a2f102e];
  4. OrionImprovementBusinessLayer.2.cs with MD5 hash value [4f2eb62fa529c0283b28d05ddd311fae];
  5. CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220Hotfix5.msp with a MD5 hash value [02af7cec58b9a5da1c542b5a32151ba1];
  6. File name is unavailable, MD5 hash value [08e35543d6110ed11fdf558bb093d401]; and
  7. C:\WINDOWS\SysWOW64\netsetupsvc.dll.

Command and control:

  1. *.avsvmcloud.com;
  2. deftsecurity.com;
  3. freescanonline.com;
  4. thedoccloud.com;
  5. digitalcollege.org;
  6. globalnetworkissues.com;
  7. kubecloud.com;
  8. lcomputers.com;
  9. seobundlekit.com;
  10. solartrackingsystem.net;
  11. virtualwebdata.com;
  12. webcodez.com;
  13. websitetheme.com;
  14. highdatabase.com;
  15. incomeupdate.com;
  16. databasegalore.com;
  17. panhardware.com; and
  18. zupertech.com.

*the domain list from (e) to (r) is attributed to the same Threat Actor but may not directly related to Sunburst campaign. If it is found on your network, you should consider your network is compromised.

Recommendation

  1. Agencies that have the capabilities to handle the situation to take the following actions immediately:
    • To create copies of system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1;
    • Analyse for new user or service accounts, privileged or otherwise;
    • Analyse stored network traffic for indicators of compromise (IoC), including new external DNS domains that have had connections to IoC. Indicators of compromise are listed above;
    • Restrict the scope of connectivity to critical endpoints from SolarWind servers;
    • Restrict the scope of accounts that have local administrator privileged on SolarWind servers; and
    • Apply the new hotfix issued by SolarWinds version 2020.2.1 HF2.

  2. Affected agencies that have limited capabilities to handle the situation shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
    • NC4 recommends that affected agencies rebuild the Windows operating system and reinstall the SolarWinds software package from trusted sources; and
    • Agencies are prohibited from re-joining the Windows host OS to the enterprise domain until proper clean-up has been done and the new hotfix issued out by SolarWinds is applied – version 2020.2.1 HF2.

  3. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed;
  4. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms; and
  5. After all threat actor-controlled accounts have been deleted, reset all credentials used by or stored in SolarWinds software.

Reference

  1. SolarWinds Security Advisory
    https://www.solarwinds.com/securityadvisory
  2. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
    https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  3. Mitigate SolarWinds Orion Code Compromise
    https://cyber.dhs.gov/ed/21-01/

16-12-2020

CONTACT US

NATIONAL CYBER SECURITY AGENCY (NACSA)

National Security Council
Prime Minister's Department
Level LG & G, West Wing,
Perdana Putra Building,
Federal Government Administrative Center,
62502 Putrajaya, Malaysia.

FOLLOW US

Number of Visitors Last Updated
302,954 22 October 2021