On December 13th, a disclosure was made for a compromise in the SolarWinds IT Management software suite code base that made a supply chain attack possible for all SolarWinds customers. Attackers implanted backdoors in legitimate, signed DLL files contained in update packages for SolarWinds Orion in March and June of 2020 that were then used to breach customers who upgraded to the affected versions (versions 2019.4 HF 5 through 2020.2.1).
Once the SolarWinds application is updated to one of the affected versions, the embedded backdoor code loads and remains dormant for up to two weeks before establishing command-and-control (C2) communication. Once this communication is established, the backdoor receives commands to perform post-exploitation activities, such as conducting reconnaissance, exfiltrating files, and disabling security controls. The malware traffic imitates the SolarWinds Orion Improvement Program (OIP) protocol and stores information in SolarWinds configuration files to disguise itself as normal activity. The backdoor can also identify and block anti-virus and forensic tools to evade detection.
Available sources are linking this compromise to the FireEye breach disclosed last week as well as other high-level compromises disclosed this week.
FireEye noted that the threat actors kept a “light malware footprint” by typically using legitimate credentials and remote access tools for network access and lateral movement. As SolarWinds products typically run with elevated privileges, the attackers were able to use their initial foothold to move laterally and gain additional administrative credentials within the target environments. The attacker’s infrastructure was configured to match legitimate target hostnames within the environment and new authentications were typically executed in the same geographic region of the target using virtual private networks. When authenticating remotely to the network, a different set of stolen credentials was used for the authentication than was used for lateral movement.
While it is unknown how many of the SolarWinds customers are facing impacts from the supply chain attack, it is widely acknowledged that this foothold is present on many systems. You can review the ReliaQuest Threat Advisory Report with more detail on the compromise, references to FireEye and Microsoft research, the ReliaQuest response, and our advice to customers that have SolarWinds software within their network.
Here’s how ReliaQuest is taking action:
- ReliaQuest added all known IOCs related to the SolarWinds Supply Chain Attack into GreyMatter Intel for rapid detection capabilities. Countermeasures and IOCs identified by FireEye can be found below.
- ReliaQuest is also leveraging GreyMatter threat hunting capabilities to perform a retroactive IOC hunt for all customers integrated with the GreyMatter Platform.
- ReliaQuest will continue to research the threat actors behavior to identify new behavioral detection opportunities to be deployed to customers through GreyMatter’s detection capabilites.
- SolarWinds is expected to deliver 2020.2.1 HF 2 hotfix on Tuesday, December 15, 2020. Once this update is released, upgrade SolarWinds Orion immediately. Until then, consider disconnecting, powering down, or isolating SolarWinds hosts if possible, depending on the risk of doing so to your organization.
Other best practices for shoring up defenses, in light of this particular compromise:
- Disable any single-factor login entry points.
- Update security tools to include the detection signatures FireEye released to identify the exposed tools. ReliaQuest has updated our detection content on behalf of our customers.
- Segment critical data and ensure that defenses are increased around these areas.
- Run retroactive threat hunting activities focused on irregular VPN logins, windows native scripting, and authentication activity.
- Rehearse incident response playbooks and make revisions where needed.
- Consider your controls, detections and assurance points and your confidence in and the resiliency of your program overall. ReliaQuest has helped hundreds of customers to map their risk coverage and controls against the tools in their environment to drive better coverage, greater efficiencies and continuously mature security programs.
Please note that ReliaQuest and ReliaQuest GreyMatter were not exposed to this vulnerability.
This report, and any information, analysis, or other observations noted in this informational release, is provided for informational purposes only. The information contained herein is derived from data obtained from your security environment or third parties that ReliaQuest, LLC (“ReliaQuest”) believes to be reliable, however no warranties, representations, or guarantees, are made by ReliaQuest with regard to the accuracy, completeness, or suitability of such information. To the fullest extent allowed by applicable law, ReliaQuest fully disclaims and any all liability with respect to the content and/or use of this information, in any manner, by any third party. Any opinions expressed reflect the current judgment of ReliaQuest and may change without notice. ReliaQuest has no obligation to amend, modify, or update this report or to otherwise notify a reader or recipient thereof in the event that any matter stated herein, or any information, opinion, projection, forecast, or estimate set forth herein, changes or subsequently becomes inaccurate.