As folks are continuing to work to address the Solorigate/ SUNBURST compromise, our team has been mapping the tactics and techniques used by the attackers to the MITRE ATT&CK framework, and building detection content to deploy for our customers.  If you haven’t already, please read this blog first to get the basics. What follows is a lot of content, but we hope you’ll find it useful. As our team continues to identify additional risks, we’ll update our threat advisory as well as post additional blogs as warranted.

Resource Development

T1584 – Compromise Infrastructure

The attackers compromised SolarWinds’ internal build or distribution system to upload malicious updates. Although the details of the initial compromise of SolarWinds are unknown, we do know that it led to eventual compromise of their internal software build or distribution system.

Initial Access

T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain

With access to the SolarWinds development system, the threat actor embedded a backdoor in SolarWinds.Orion.Core.BusinessLayer.dll – a legitimate component of the Orion software framework present in multiple updates available through the SolarWinds website. SolarWinds customers who installed these malicious updates unknowingly installed this backdoor in their environment.

Execution

T1059 – Command and Scripting Interpreter

SolarWinds.Orion.Core.BusinessLayer.dll contained an obfuscated backdoor that communicated to C2 servers. It utilized “Jobs” to execute commands on an affected host.

T1569.002 – System Services: Service Execution

The backdoor deployed the malware dropper TEARDROP that runs as a service.

Persistence

T1543.003 – Create or Modify System Process: Windows Service

The backdoor deployed the malware dropper TEARDROP that runs as a service.

T1053 – Scheduled Task/Job

Manipulation of scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration.

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

HTTP requests were used for C2 beacons and transferring data out of the network.

T1001.003 – Data Obfuscation: Protocol Impersonation

The network traffic was designed to impersonate the Orion Improvement Program protocol, which normally sends usage information back to SolarWinds.

T1071.004 – Application Layer Protocol: DNS

The attackers used DNS CNAME records to store the domain names of its C2 servers. Once the backdoor was initialized, it would resolve the CNAME record for avsvmcloud[.]com to retrieve the C2 server domains.

T1105 – Ingress Tool Transfer

The backdoor has the capability to transfer files and download additional tools. The dropper TEARDROP is used to download additional malware.

T1132.001 – Data Encoding: Standard Encoding

The C2 beacon and response traffic are both encoded and compressed with multiple algorithms.

T1568.002 – Dynamic Resolution: Domain Generation Algorithms

The backdoor used a Domain Generation Algorithm (DGA) to create and resolve subdomains of avsvmcloud[.]com.

Defense Evasion

T1027 – Obfuscated Files or Information

The legitimate file SolarWinds.Orion.Core.BusinessLayer.dll.config is used by the malware to store persistence settings.

T1070.004 – Indicator Removal on Host: File Deletion

The attackers removed their tools and backdoors once other remote access vectors were secured. They also replaced legitimate executables with malicious ones, executed them, then removed their files and restored the originals.

T1553.002 – Subvert Trust Controls: Code Signing

As the attackers compromised the software build system, the file that was backdoored was then signed – giving it additional legitimacy and further reducing chances of detection.

T1562.001 – Impair Defenses: Disable or Modify Tools / T1112 – Modify Registry

Attackers stopped services associated with security and monitoring tools by setting the value of the HKLM\SYSTEM\CurrentControlSet\services\{SERVICE_NAME}\Start key in the Windows registry to “4”.

T1134.003 – Access Token Manipulation: Make and Impersonate Token

In the Microsoft cloud, attackers used compromised SAML token signing certificates to forge SAML tokens to access administrative privileges.

T1036.005 – Masquerading: Match Legitimate Name or Location

Attackers replaced legitimate files with malicious ones that used the same name to avoid detection. The malicious files were then deleted and the original

Discovery

T1012 – Query Registry

Attackers queried the Windows registry for the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid key to be used in an identifier for compromised hosts.

T1057 – Process Discovery

SolarWinds.Orion.Core.BusinessLayer.dll contained an obfuscated backdoor that communicated to C2 servers. It utilized “Jobs” to execute commands for discovering processes on an affected host.

T1083 – File and Directory Discovery

SolarWinds.Orion.Core.BusinessLayer.dll contained an obfuscated backdoor that communicated to C2 servers. It utilized “Jobs” to execute commands for file and directory discovery on an affected host.

T1518 – Software Discovery

SolarWinds.Orion.Core.BusinessLayer.dll contained an obfuscated backdoor that communicated to C2 servers. It utilized “Jobs” to execute commands for software discovery on an affected host.

T1518.001 – Software Discovery: Security Software Discovery

SolarWinds.Orion.Core.BusinessLayer.dll contained an obfuscated backdoor that communicated to C2 servers. It utilized “Jobs” to execute commands for security software discovery on an affected host.

Privilege Escalation

T1543.003 – Create or Modify System Process: Windows Service

The backdoor deployed the malware dropper TEARDROP that runs as a service.

T1053 – Scheduled Task/Job

Manipulation of scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration.

Collection

T1114.002 – Email Collection: Remote Email Collection

There are several instances of the attackers adding mail read permissions to their compromised accounts in order to collect and monitor the target’s emails.

T1105 – Ingress Tool Transfer

The backdoor has the capability to transfer files and download additional tools. The dropper TEARDROP is used to download additional malware.

What should I do?

If IOC activity has been detected within your environment, the following responses are recommended:

  • Investigate any hosts associated with IOC hits for evidence of the techniques listed above around or after the time in which the first IOC hit was seen.
  • Isolate/disable SolarWinds servers until confident there is a trustworthy build to update to. SolarWinds published a security advisory encouraging customers to upgrade as of December 16, 2020.
  • Block known IOCs on network/security infrastructure and monitor for these IOCs in logs as a sign of infection. Hosts associated with these indicators should be isolated and re-imaged before being redeployed in the environment. Any account credentials found to have been used by the attackers should be reset.
  • Change passwords for administrator and service accounts.
  • Ensure default passwords are changed.
  • Remove or disable unused/unnecessary applications and users, especially those with significant privilege (domain administrators, for example).
  • Limit user/service account privilege to the least amount necessary.
  • Restrict scope of connectivity as appropriate between network segments (in particular, from SolarWinds to other areas of the network).
  • Verify backups for critical data and servers are available and stored securely.

Thank you to the team who contributed to this research: Chris Martinez, Kevin Kaminski, Erik Grothman, Matt Kramer, Joe Morales, Zach Stein, Mike Rogers

ReliaQuest has helped hundreds of customers to map their risk coverage and controls against the tools in their environment to drive better coverage, greater efficiencies, and continuously mature security programs.

Please note that ReliaQuest and ReliaQuest GreyMatter were not exposed to this vulnerability.

This report, and any information, analysis, or other observations noted in this informational release, is provided for informational purposes only. The information contained herein is derived from data obtained from your security environment or third parties that ReliaQuest, LLC (“ReliaQuest”) believes to be reliable, however no warranties, representations, or guarantees, are made by ReliaQuest with regard to the accuracy, completeness, or suitability of such information. To the fullest extent allowed by applicable law, ReliaQuest fully disclaims and any all liability with respect to the content and/or use of this information, in any manner, by any third party. Any opinions expressed reflect the current judgment of ReliaQuest and may change without notice. ReliaQuest has no obligation to amend, modify, or update this report or to otherwise notify a reader or recipient thereof in the event that any matter stated herein, or any information, opinion, projection, forecast, or estimate set forth herein, changes or subsequently becomes inaccurate.