FireEye, which last Sunday disclosed a compromise at network management software vendor SolarWinds that allowed an unknown attacker to distribute malware to potentially thousands of organizations, has identified a killswitch that it says would prevent the malware from operating on infected networks.
But in networks where the attackers might have already deployed additional persistence mechanisms, the killswitch will not remove the threat from victim networks, according to the security vendor.
FireEye on Sunday said that an investigation it was conducting into a breach of its own network last week uncovered a threat actor widely distributing a backdoor dubbed SUNBURST by hiding it in legitimate updates of SolarWinds' Orion network management technology.
SUNBURST (SolarWinds.Orion.Core.BusinessLayer dot dll) is a sort of first-stage Trojan that the attackers were using to drop additional payloads for escalating privileges, lateral movement, and data theft on infected networks, FireEye explained. The stealth, planning, and precision with which the attack was executed had all the hallmarks of a nation state-backed actor, the vendor said. FireEye is currently tracking the threat actor as UNC2452, but says it has not been able to identify whether and on whose behalf it might be operating.
Security experts as well as some members of Congress who received classified briefings on the attack, point to Russia as the likely perpetrator.
FireEye has released IoCs and other data to help organizations detect and mitigate the threat. SolarWinds has released updates—including a hotfix today—that it says addresses the issue in all impacted versions of its technology. Since the breach was disclosed, Microsoft and numerous other vendors of malware detection tools have also added signatures for the malicious DLL that FireEye observed was being used to distribute SUNBURST.
An Effective Killswitch Under Some Circumstances
A FireEye spokesperson Wednesday said the company's analysis of SUNBURST showed the malware could be prevented from operating under the right conditions. "Depending on the IP address returned when the malware resolves avsvmcloud dot com under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections," the spokesperson said.
According to FireEye, the killswitch is effective against new and previous SUNBURST deployments that might be still beaconing out to avsvmcloud dot com, the location of the malware's command and control server. "However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."
In these situations, the killswitch would not boot the threat actor out of an infected network. But it could make life harder for them to use already distributed versions of SUNBURST, FireEye said.
News of the killswitch comes amid high concerns over the potential scope and impact of the SolarWinds intrusion, which FireEye discovered when investigating a breach of its own network last week.
Obama-era Presidential Directive
On Tuesday, the White House National Security Council (NSC) announced that a Unified Coordination Group (UCG) had been established to ensure a coordinated federal agency response to the threat—as prescribed by PPD-41 an Obama-era directive. The PPD-41 process "facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate, and respond to this incident," the NSC said. Earlier on Monday, the DHS's Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive that ordered all federal civilian agencies to immediately power off and disconnect instances of SolarWinds Orion, the network management product that the attacker used to distribute the malware.
A lot of the concern has to do with the potential scope and impact of the breach. SolarWinds supplies network management technology to most federal agencies, all five branches of the military, and almost all Fortune 500 companies, in addition to thousands of managed services provides.
The company's Orion network management tool provides SolarWinds with access deep into some of the biggest, most sensitive networks in the world. Many believe that by poisoning legitimate Orion updates with SUNBURST malware, the attackers have managed to gain what some refer to as "God-mode access" on the compromised networks. Among those believed impacted in the breach are federal agencies like the US Treasury Department, Homeland Security, Justice Department, and State Department.
Researchers from Huntress Labs, which earlier this year validated a zero-day exploit involving another SolarWinds technology called N-Central on Wednesday, said they had compiled a list of more than 4,000 domains and subdomains tied to the poisoned DLL. Huntress Labs' analysis of available data showed the backdoored DLL to be present across 500,000 systems, but only within the Orion product.
According to the vendor, the malicious DLL can be present in three specific SolarWinds programs and 12 distinct locations on a computer filesystem. However, the presence of the DLL alone does not indicate a compromise, the vendor stressed.
Multiple SolarWind Vulnerabilities
SolarWinds has not yet disclosed how exactly the attacker managed to gain enough access on its systems to be able to insert malware into the company's legitimate software updates. The company has noted that preliminary investigations show a compromise of SolarWinds' build system.
Data available on the MITRE CVE vulnerability database shows that researchers have reported 23 vulnerabilities on SolarWinds' technologies this year alone. Many of them—including six that were disclosed in August—have been in N-Central, a SolarWinds' remote monitoring technology.
Daniel Trauner, director of security at Axonius, says incidents like this highlight the importance of good vendor security risk-assessment practices. Organizations should look at public examples of vendor security risk assessment questionnaires such as Google’s VSAQ to get an idea of what to focus on, he says.
At the same time, there are limits to how much vetting one can do, he says.
"Even though larger and more mature enterprises usually have a formal change-control process designed to minimize the risk inherent in modifying existing access or systems, there are usually practical limits for this model," he says. Most of the focus is going to rightfully be on a subset of critical systems and specific elements of the change, such as highlighting any privileged access changes or testing the stability of the system after a patch is applied.
"Unfortunately, there are likely no reasonable routine checks that would have been part of a change management process that would have caught this backdoored SolarWinds update," he says.
The SolarWinds incident has punctuated the dangerous exposure of US federal agencies to threats via the supply chain, says Jacob Olcott vice president of communications and government affairs at BitSight.
Government agencies rely on a vast third-party supply chain with limited visibility into the security posture of critical providers, he says. Current approaches do not adequately address the risk and a significant change in thinking and technological approach to supply chain security is needed.
"For the last five years, adversaries have been able to access valuable personal information, sensitive intellectual property, trade secrets, and other critical national security information by penetrating the government's supply chain," Olcott notes.
"It must integrate cybersecurity into all contracts, placing requirements on contractors to meet certain cybersecurity standards."