Solarwinds Orion (Dark Halo / UNC2452 / Solarigate / StellarParticle) supply-chain breach

What happened

After last week's Fireeye breach, yesterday, US Department of Treasury and US Department of Homeland also declared an incident regarding a supply-chain attack releated with Solarwinds Orion application. Fireeye has shared a lot of details inluding IOCs and we're almost sure that Fireeye was also affected from this same Solarwinds Orion supply-chain attack. They stated that attackers penetrated Solarwinds update servers and distributed malicious updates starting Spring 2020. Company stated that their build servers were compromised, too. "SolarWinds.Orion.Core.BusinessLayer.dll" in versions 2019.4 HF 5 through 2020.2.1 is affected.

A lot of Fortune 500 and military institutions are customers of Solarwinds as can be seen here including Cisco, Harvard University, Federal Reserve Bank, Microsoft, U.S. Air Force etc. Solarwinds declared fewer than 18.000 total customers are affected. We don't have any victim details yet. RedDrip team has shared a DGA-domain list which lists successful initial intrusions. It can be seen here

Microsoft also shared they're affected, too. They also said there may a second actor using same vector https://uk.reuters.com/article/usa-cyber-solarwinds/second-hacking-team-was-targeting-solarwinds-at-time-of-big-breach-idUKL1N2IZ0C9

The attackers have compromised signed libraries that used the target companies’ own digital certificates, certificate details with the signer hash are shown below:

Contrary to popular belief (APT 29), Fireeye attributed this attack to a unclassified threat actor they track as UNC2452 and they call this backdoor SUNBURST. It drops different payloads, including a memory-only dropper, "Teardrop," which was then used to deploy Cobalt Strike beacons.

Some sources like Group-IB claims that fxmsp is the initial intruder to Solarwinds network because of their posts on Exploit Forum in 2017.

They use avsvmcloud[.]com address to distribute second-stage payload and C2 addresses via CNAMEs. Network traffic originating from the malware appears as legitimate Orion protocol look like normal Solarwinds network traffic.

Volexity, which is a different security company, called this group as Dark Halo and they also shared their unique findings.

Fireeye also shared their findings via below graphic;

Source: Fireeye

DNS communication pattern for C2 purpose:

Source: Microsoft

Detections & hunting

Here's the YARA rules to detect this activity; https://raw.githubusercontent.com/fireeye/sunburst_countermeasures/main/all-yara.yar

Here's the Snort rules; https://raw.githubusercontent.com/fireeye/sunburst_countermeasures/main/all-snort.rules

Here's Sigma rules; https://socprime.com/blog/sunburst-backdoor-detection-solarwinds-supply-chain-attack-on-fireeye-and-us-agencies/

Here's the networks IOCs you can retro-search in your logs -starting March 2020-

Domains:
avsvmcloud.com
databasegalore.com
deftsecurity.com
digitalcollege.org
freescanonline.com
globalnetworkissues.com
highdatabase.com
incomeupdate.com
kubecloud.com
lcomputers.com
panhardware.com
seobundlekit.com
solartrackingsystem.net
thedoccloud.com
virtualwebdata.com
webcodez.com
websitetheme.com
zupertech.com

Hashes:
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
02af7cec58b9a5da1c542b5a32151ba1
08e35543d6110ed11fdf558bb093d401
0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589
16505d0b929d80ad1680f993c02954cfd3772207
1acf3108bf1e376c8848fbb25dc87424f2c2a39c
1b476f58ca366b54f34d714ffce3fd73cc30db1a
20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9
2546b0e82aecfe987c318c7ad1d00f9fa11cd305
2841391dfbffa02341333dd34f5298071730366a
292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d
2c4a910a1299cdae2a4e55988a2f102e
2dafddbfb0981c5aa31f27a298b9c804e553c7bc
2f1a5a7411d015d01aaee4535835400191645023
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
393702fab1c5d09d9f94e8a63114746d
395da6d4f3c890295f7584132ea73d759bd9d094
413a71f93e0eeb89f3afb82644f98801
47d92d49e6f7f296260da1af355f941eb25360c4
4f2eb62fa529c0283b28d05ddd311fae
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
56ceb6d0011d87b6e4d7023d7ef85676
6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d
6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
75af292f34789a1c782ea36c7127bf6106f595e8
76640508b1e7759e548771a5359eaed353bf1eec
846e27a652a5e1bfbd0ddd38a16dc865
92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d
a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666
b91ce2fa41029f6955bff20079468448
bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
c2c30b3a287d82f88753c85cfb11ec9eb1466bad
c8b7f28230ea8fbf441c64fdd3feeba88607069e
cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
d130bd75645c2433f88ac03e73395fba172ef676
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
d8938528d68aabe1e31df485eb3f75c8a925b5d9
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d
e2152737bed988c0939c900037890d1244d9a30e
e257236206e99f5a5c62035c9c59c57206728b28
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
fd15760abfc0b2537b89adc65b1ff3f072e7e31c
ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8

IPs:
108.216.108.136
13.59.205.66
139.99.115.204
18.253.52.187
20.140.4.34
20.141.17.218
20.141.229.215
204.188.205.176
34.203.203.23
5.252.177.21
5.252.177.25
51.89.125.18
54.193.127.66
54.215.192.52
96.31.172.196

Here's some KQL detections: https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

Some questions

On November 19, 2019, a security researcher notified Solarwinds about their unsecure credential practice but it looks like they just ignored him.

To get a summary for this event and what's Solarwinds Orion NMS etc, you can refer below SANS video

Be safe!

References:

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html?m=1

Furkan ÇALIŞKAN

Read more posts by this author.