OVERVIEW

SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. A Russian-based threat group UNC2452 leveraged the SolarWinds supply chain to compromise multiple global victims with SUNBURST malware. 

Supply Chain Compromise

A technique which has been used to gain initial access to an internal organisation by manipulating a malicious product into an legitimate one, According to ATT&CK Matrix for Enterprise supply chain compromise falls under the tactic of Initial access under the Technique ID: T1195, It generally classified into three sub-techniques

1. Compromise Software Dependencies and Development Tools

Manipulating a legitimate software dependence to compromise end users.

Example : The Node.js library called “event-stream,” with nearly two million downloads a week was compromised after the library was injected with malicious code programmed

The malicious code attempted to steal bitcoins stored in the Copay wallets and distributed via NPM in order to reportedly transfer the funds to a server located in Kuala Lumpur

Ref: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

2. Compromise Software Supply Chain

Manipulating an malicious application source code to compromise end users

CCleaner had been targeted by cyber-criminals, in order to distribute malware via the CCleaner installation file.

Ref: https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

3. Compromise Hardware Supply Chain

Manipulating a hardware component to compromise end users or to create malicious backdoor may be difficult to detect.

UNC2452

Group ID: G0118

Associated Groups: Solorigate, StellarParticle, Dark Halo

An highly skilled Russian based State sponsored threat group which familiarly targets government sectors, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.

ATTACK NAVIGATOR

Initial Access

Supply Chain Attack

Execution

DLL [SolarWinds.Orion.Core.BusinessLayer.dll]

Persistence   

SolarWinds.Orion.Core.BusinessLayer.exe → Backdoor Activities

Recon

Before execution it has been designed to basically check several entity to verify that it is running in a real victim environment and also to avoid exposing it as the malicious functionality

1. Check for malicious DLL is named solarwinds.businesslayerhost.exe
2. Check for Wireshark is running
3. Check for security-related Softwares
4. Check for Domain name
   1. Check for hashes
   2. The domain must not SolarWinds
   3. Domain must not match the regular expression (?i)([^a-z]|^)(test)([^a-z]|$), or in simpler term

Command & Control
After an successful check the backdoor will communicate directly with C2 servers

Step: 01

Communicate with C2 server and send basic information about the compromised system

Step: 02

After successful communication with the C2 server, it will start sending a compressed buffer of data containing commands for the backdoor to execute.

Step: 03

It will allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device.

Hands-On-Keyboard-Attack

Domain Enumeration

C:\Windows\system32\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=”Domain Admins”) member -list | csrss.exe -h breached.contoso.com -f objectcategory=* > .\Mod\mod1.log

Lateral Movement

$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

Persistence

1. PowerShell:

Powershell -nop -exec bypass -EncodedCommand

The –EncodedCommand, once decoded, would resemble:

Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION

2. Rundll32:

C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\[malicious .dll file], [various exports]

With Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.

Ref

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Network C2C

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 224.0.0.0/3
• fc00:: – fe00::
• fec0:: – ffc0::
• ff00:: – ff00::
• 20.140.0.0/15
• 96.31.172.0/24
• 131.228.12.0/22
• 144.86.226.0/24

IOC/Hashes

MD5

02af7cec58b9a5da1c542b5a32151a1

08e35543d6110ed11fdf558bb093d401

b91ce2fa41029f6955bff20079468448

d5aad0d248c237360cf39c054b654d69

2c4a910a1299cdae2a4e55988a2f102e

846e27a652a5e1bfbd0ddd38a16dc865

baa3d3488db90289eb2889c1a2acbcde

e18a6a21eb44e77ca8d739a72209c370

3e329a4c9030b26ba152fb602a1d5893

4f2eb62fa529c0283b28d05ddd311fae

56ceb6d0011d87b6e4d7023d7ef85676 SHA256                 d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d560053f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c732519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191ea25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bcd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 FileName                     CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.mspSolarwinds Worldwide, LLCSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarwinds Worldwide, LLCSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllOrionImprovementBusinessLayer.2.csapp_web_logoimagehandler.ashx.b6031896.dll

ATTACK MAP

MALWARES

During this attack three main malware are been reported

1. BEACON
2. SUNBURST
3. TEARDROP

BEACON

Becon is the process where the malware communicates with a C2 server asking for instructions or to exfiltrate collected data on some predetermined asynchronous interval. The C2 server hosts instructions for the malware, which are then executed on the infected machine after the malware checks in.

SUNBURST 

SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.

TEARDROP

TEARDROP is a malicious 64-bit dynamic-link library (DLL) that decrypts and loads a malicious payload from an embedded code buffer. When executed, the malware attempts to read the first 64-bytes of a file named festive_computer.