Recently, Microsoft and FireEye have announced the discovery of a new advanced threat group utilizing an IT monitoring software vendor as a means to enable access to other targets. This type of an attack is referred to as a “supply chain attack” or a “watering hole attack.”
What is a supply chain attack?
A supply chain attack is when an adversary compromises a popular third party software company that is relied upon by a business vertical (or multiple business verticals), with the express goal of using this access to enable access to other targets of interest.
In some cases, the compromised third party is used as a pivot point–threat actors will simply direct their attacks and network traffic through the third party to make them appear as legitimate connections. In other cases, some actors will simply steal code signing certificates and use those to sign their malicious binaries to trick most security products.
Some actors will take it much further, compromising the third party’s software build systems and using those to backdoor the software itself. The actors will then use the backdoor to enable access to other targets directly, taking advantage of the target’s trust in the third party software (e.g. established usage, signed executables, etc.).
Historic examples of supply chain attacks include: Ukrainian tax software company MEDoc being compromised, and used to spread NotPetya ransomware, “Cloud Hopper” APT attacking managed service providers (MSPs) in an attempt to access their customers, retail company Target’s compromise through a third-party HVAC company, and so on.
What is SolarWinds?
SolarWinds is an IT software company specializing in the creation of system monitoring software. Most of their software is centered around monitoring processes and system resources (e.g., network throughput and heartbeats, disk, CPU, and memory utilization, and customer-defined critical services/processes).
If certain events occur (e.g., system shutdown/reboot/crash, loss of network connectivity, a utilization threshold is hit, or other certain system events are logged), it triggers an alert informing IT staff that a system outage has occurred and/or that maintenance tasks will need to be performed to ensure continued system availability. Of course, this isn’t the only cookie jar that SolarWinds has their hands in, but it is the one they are most famously known for.
SolarWinds has many, many different customers, spanning a wide variety of business verticals, and they prominently display that fact on their website. Accenture, Charter Communications, and Lockheed Martin are among the 300,000+ customers they boast. With such a large customer base, one can see why attacking a third party supplier could enable a lot of access to hard targets, and why supply chain security is so important.
Security teams at both Microsoft and FireEye discovered a backdoor in the SolarWinds Orion Platform as a part of a routine investigation. Microsoft gave the backdoor the name “Solorigate,” while FireEye has dubbed the backdoor “SUNBURST,” giving the adversary group behind this attack the title “UNC2452.”
Reporter Kim Zetter has stated that Microsoft has produced a report based on the investigation of this incident. Here is a link to Microsoft’s statement regarding this threat. FireEye has also produced a blog post detailing their findings.
Should I be concerned?
If you are a SolarWinds Orion customer, I would advise taking this threat seriously. While the report states that UNC2452 was extremely selective about their targeting and use of the SUNBURST backdoor, Solarwinds Orion customers should take measures to detect the backdoored software in their environment and mitigate it.
Detection and mitigation
According to a newly released security advisory by SolarWinds, Solarwinds Orion Platform builds ranging from version 2019.4 through version 2020.2.1, released between March 2020 and June 2020, may be affected. They advise upgrading to version 2020.2.1 HF1, and then 2020.2.1 HF2, which will be available on December 15th, 2020.
The notification differentiates between the HF1 and HF2 updates, stating that HF1 replaces the compromised software component, while HF2 both replaces the component and provides additional security enhancements not yet specified.
As always, patching is the best path forward. However, considering the timing of this announcement (the lead-up to Christmas and New Year’s is typically one where most IT and security professionals want to be as far away from a computer as possible–to say nothing of the many verticals that implement change freezes around this time of year), patching may take some time to complete, or may not be immediately possible.
Fortunately, FireEye also created a GitHub repository containing a set of ClamAV signatures, YARA rules, and Snort rules that can be used to detect the threat. Make full use of the signatures to detect any systems with the backdoor and/or any beaconing activity to the Command and Control domains. If you utilize other security products or tools, the GitHub repository also includes a CSV file containing SHA256 hashes of the backdoors and implants, as well as network-based indicators that can be used to build other detection as necessary.
A word of caution on the network-based indicators
Some of the IP addresses released among the indicators include Amazon AWS IP addresses and have a high likelihood of being low-quality indicators. The other IP addresses identified seem to belong to other VPS or cloud providers–ChangeIP, MivoCloud, and OVH. Depending on your geographic location, distribution of customers and/or users, these IP-address indicators may also be of limited use. I would recommend utilizing the DNS/hostname indicators for more effective network detection of this threat.