News this week about a likely Russia-based threat actor infecting thousands of organizations with malware delivered via seemingly legitimate software updates of their Orion network management product from SolarWinds has stoked broad concerns across many fronts.
The concerns are particularly high because victims of the campaign reportedly include the US Treasury Department, the Department of Homeland Security, the State Department, the Justice Department, and potentially entities from all five branches of the US military. Among others believed affected are numerous Fortune 500 companies — SolarWinds counts 499 of them as its customers.
Security vendor FireEye uncovered the SolarWinds campaign when investigating a breach of its own network recently that resulted in several of its offensive hacking tools being stolen. As expected, the targeted attack has once again focused attention on the long-standing issue of supply chain and third-party security. It has also raised alarm about the extent to which Russian advanced persistent threat (APT) actors and threat actors from other countries may have insinuated themselves into, and are lurking on, US critical infrastructure and networks, ready to activate at a moment's notice.
Network management products like Orion "have wide-ranging visibility and permissions across networked devices," says Mark Carrigan, chief operating officer at industrial security vendor PAS Global.
In the industrial sector, hackers may be able to leverage the technology to gain access to business-critical industrial control system environments and move laterally across networked systems in order to steal data on industrial processes, chemical formulas, and other sensitive data.
Attackers could use their access to disrupt operations, causing production stoppages or, worse, safety and environmental incidents, Carrigan says. "Given the attribution of the attack to an advanced persistent threat backed by a major nation-state, it is likely that the hackers would have access to the necessary knowledge of industrial control system environments to exploit common 'insecure by design' practices," he warns.
FireEye says its investigation shows the threat actor, which it's tracking as UNC2452, inserted a backdoor dubbed SUNBURST into a digitally signed component of SolarWind's Orion network management product. The malware was concealed in legitimate updates to Orion that SolarWinds distributed between March and June of this year.
SolarWinds says its investigation shows the updates were sent to about 33,000 of its approximately 300,000 customers worldwide. Some 18,000 of them downloaded the software, but it remains unclear how many of those organizations were actually targeted. The vendor released a patched version of its affected software on Monday and said an additional hotfix would be released on Dec. 15. However, as of late afternoon Dec. 15, that hotfix doesn't appear to have been released.
FireEye's analysis of post-compromise activity showed that the SUNBURST malware lays dormant on victim systems for two weeks while it profiles the network and looks for malware detection mechanisms. Once active, the malware — which is actually a dropper — reaches out to remote, attacker-controlled systems to download additional payloads, one of which is Cobalt Strike's Beacon agent. Malware traffic is designed to blend in with legitimate SolarWinds activity, and the code itself hides in plain sight by using fake names and tying into legitimate components, FireEye says.
The Unknown Threat Actor
The security vendor has described UNC2452 as a threat actor that it has not encountered previously. FireEye has released indicators of compromise (IoCs) and signatures so organizations can detect the threat. But so far it has not publicly, at least, attributed the attack to any specific nation-state sponsor. Numerous media reports, however, have pinned the campaign on APT29, or Cozy Bear, a group thought to be associated with Russia's intelligence apparatus.
Paul Prudhomme, cyber-threat intelligence analyst at IntSights, says his firm has so far not been able to corroborate or independently verify the claimed attribution to state-sponsored Russian cyber-espionage groups. "But we do nonetheless find the claim credible and worthy of further consideration," he says.
The campaign is consistent with what IntSights has observed with state-sponsored Russian actors, including the targeting of the US government, the tight operational security, and the generally high level of sophistication and tradecraft involved. At the same time, "technology supply chain compromises of this kind are more typical of Chinese cyber-espionage groups than their Russian counterparts," Prudhomme says.
Meanwhile, security vendor Volexity said Monday that its analysis of the techniques, techniques, and procedures (TTPs) that FireEye released suggests the threat actor is a group that Volexity previously tracked as "Dark Halo." In a blog post, Volexity researchers described Dark Halo as a group they encountered while investigating three separate incidents at a US-based think tank in late 2019 and early this year. Volexity said it found multiple backdoors, malware implants, and tools that allowed Dark Halo to remain undetected on the think tank's network for multiple years.
Security researchers this week stressed that just because an organization might have received tainted updates doesn't mean it was targeted. Even so, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to forensically image system memory and analyze stored network traffic for IoCs.
It has also ordered all agencies to disconnect and power down Orion instances, block traffic to and from hosts running any version of SolarWinds, and look for and remove threat actor-controlled accounts and persistence mechanisms. "Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed," CISA has noted.
Ben Johnson, former National Security Agency analyst and CTO and co-founder of Obsidian Security, says evidence of persistence and lateral movement will vary based on an organization's specific network architecture and configuration of its SolarWinds environment. "But you should immediately be investigating any logs you have — authentication and access logs, network flow logs, and others — for the servers running the backdoored version of Orion software first."
He recommends that organization look for evidence of the TTPs and IoCs published by other organizations that have done research into this issue such as FireEye, Volexity, and Microsoft. "Create new detection/prevention rules for these IoCs in your SIEM and other systems. Also, rotate any user or service account credentials related to SolarWinds."
In addition to looking for suspicious outbound connections, organizations should also look for malicious activity happening internally, Infocyte researchers said Monday. "For instance, FireEye also released information on SUPERNOVA, which is a custom .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler," they noted. Unlike SUNBURST, which does outbound connections, SUPERNOVA allows inbound backdoor access to the SolarWinds management interfaces, they said.
How Did SolarWinds Get Breached?
With investigations still ongoing, there is some speculation around how threat actors managed to compromise SolarWinds' environment and poison the company's software updates.
Details that SolarWinds has publicly released suggest that attackers gained access to the company's Orion software build system — or CI/CD development environment — using forged SAML authentication tokens that likely impersonated highly privileged accounts.
Statements that SolarWinds and Microsoft have released suggest that the attackers were likely able to forge the tokens by first gaining access to the former's Microsoft 365 environment through a separate on-premises compromise. According to Volexity, its previous investigations of Dark Halo showed the group to be using a sophisticated method — involving the use of a secret Outlook Web Anywhere (OWA) key — to bypass multifactor authentication. Like other security vendors, Volexity has said its investigations have so far revealed no clues to Dark Halo's origin.
The likelihood that the backdoor was inserted using a compromised build system is interesting and will be an attack vector to look out for next year, says Daniel Trauner, director of security at Axonius.
"This is yet another case showing that failing to protect a modern build system — which often has its own keys, service accounts, and other sensitive features meant to allow for fully automated deployments — can lead to a severe compromise," Trauner says. Organizations should take extra care to protect and audit the usage of any software signing keys as well, especially within a build system, where security is not always a high priority, he says.