What the Solar Winds Hack Means for Your Company

An attacker compromised the SolarWinds Orion Platform IT surveillance solution, which often has access to a company's most sensitive secrets. While the current situation is evolving and requires further evaluation, the scale of this attack has global implications and companies affected must act immediately.

Note: This is a current snapshot. Because of this, some information in this post can be adapted to reflect new findings about the attacker's campaign. 

Attack on The Supply Chain with Several High Profile Victims

Public reporting revealed details of a global campaign by a highly capable attacker, currently known as “UNC2452”, which compromises widely used network management software as part of a supply chain attack against several high-level victims. The affected software is the SolarWinds Orion Platform. The attack inserted a malicious backdoor known as “SUNBURST” into one of the application's libraries, allowing the attacker to gain access to the affected system.

The SolarWinds 8-K SEC report shows that the malicious code was inserted as part of the compile process and the source code was not directly affected. The update looks legitimate to the victims as it was installed as part of an official update and signed with a legitimate SolarWinds certificate.

Recent reports indicate that the malicious updates have been delivered to SolarWinds customers since March 2020 and lasted through June 2020. Analysis by Microsoft shows that there are non-malicious anomalies in some previous updates that may indicate that an attacker had access to the compile process, which dates back at least October 2019.

The Existence of The Malicious Update Does Not Indicate Active Exploitation

In the SEC report, SolarWinds suggests that more than 17,000 companies may have received an update that contains the malicious code. However, the fact that the malicious update is present does not indicate that a company was actually compromised by the attacker. Since it was a supply chain compromise, the threat actor had no control over which SolarWinds customers downloaded the update; therefore, the number of actively exploited companies is likely to be fewer than the total number of those who received the malicious update.

The first actively exploited victims reportedly included several US government organizations and US cybersecurity company FireEye. Microsoft has since reported that more than 40 companies in 8 countries have been actively affected by this attack. These include the United States, Canada, Mexico, Israel, the United Arab Emirates, Belgium, Spain, and the United Kingdom.

As of this writing, the companies reported as actively compromised are those operating at the government level or in association with government agencies. It is expected that these companies will attract the attention of attackers like UNC2452 because they have a high level of expertise and resources for their purposes. By compromising the supply chain, additional targets are possible, but it is unlikely that they were directly targeted by the attackers when the attack began.

From the “backdoor” to Full Control

The backdoor has reportedly been inactive for up to two weeks after installation before running a series of “checks” to prevent the backdoor from being used while security tools are in place or the affected device is on the SolarWinds network. Some exams leave the backdoor inactive until they pass, while others make an automatic attempt to dry up the security tools before rerunning the exams to see if it passed.

If all checks are passed, the backdoor attempts to communicate with a specific command and control server (C2), which combines a hash of information from the host with three other static components compiled from the backdoor's code. The C2 channel enables the attacker to issue a series of commands to penetrate further into the victim's network.

Reports indicate that once the attacker has gained full control, further actions vary from victim to victim. As part of the initial activity, the attacker uses a custom memory-based dropper called “TEARDROP”. This previously unknown malware is said to continue as a service and in at least one case be used to smuggle in a Cobalt Strike Beacon, although it is also possible that it can be used to smuggle in other malicious code.

Get Highly Privileged Access.

After these initial steps, the attacker uses better-known techniques, such as PowerShell and native utilities, to increase their access rights and move around the victim's network. The attacker is now trying to disguise commands and to integrate himself into certain legitimate activities.

As reported further, the attacker compromises important authentication mechanisms to gain highly privileged access. The misuse of SAML tokens plays an important role in this and is currently being achieved by compromising the company's SAML token signature certificates. The CISA Alert AA20-352A5 indicates that SAML token abuse appears to be common in attacks associated with this attacker in addition to those directly related to SolarWinds.

The attacker was observed using the access obtained via SAML to access important resources in the victims' cloud and online services. This also includes access to user files and emails. Microsoft has provided a very good resource for the hunt down and the attacker's further activities from this operation.

The Main Goals

The main goals of the attacker should be to establish long-term, permanent access to the victim and the theft of sensitive data. The technical details of long-term persistence is well described in the Microsoft blog, where abuse of Federation Trusts and OAuth Applications or Service Principals are mentioned.

Relevant reports by key stakeholders investigating the attack highlight the attacker's sophisticated skill set and operational security considerations that enabled them to camouflage themselves with legitimate functions. Therefore, organizations with the appropriate antivirus installed should take reasonable steps to investigate, contain, and eliminate this threat.

An Ongoing Investigation

It is important to note that the public's understanding has been updated as the numerous investigations progressed. An important update since the first publication is the clarification of the cluster activities “SUPERNOVA” and “COSMICGALE”, which are not directly related to the actual compromise of the SolarWinds supply chain. These activities are reportedly related to the exploitation of CVE-2019-8917 and are being pursued as standalone attackers by both Microsoft and FireEye. Detection of this malicious activity is still important, but it should not be assumed to be related to the larger SolarWinds activity cluster.

What Your Company Should Do About the Solar Winds Hack

The attacker's sophisticated skills enable him to mix his activities with legitimate business functions. Therefore, it is critical that companies that have installed the affected software take steps to investigate, contain, and remediate this threat.

All servers that have the vulnerable software installed should be isolated and examined for signs of compromise. According to the investigation, companies should install the hotfix for the SolarWinds Orion Platform as a priority, which updates the product to version 2020.2.1 HF 2 ″.

SolarWinds reports that the hotfix removes the compromised items added by the attacker and includes additional security enhancements for the product. This measure should reduce the risk of active exploitation by the backdoor, but it would not completely prevent active compromise beyond the backdoor.

More Needs to Be Done

These attacks are generally interpreted as a part of a cyber espionage campaign but are of concern to companies worldwide. Similar approaches are used by highly skilled attackers in critical industries to aggressively acquire network access.

This is part of a “hybrid” approach to show of force and warfare that could now infiltrate corporate networks anywhere. The attacks also have a destabilizing effect. They undermine trust in the technology and security companies we rely on to enable an increasingly digital economy.

However, there is hope that the backlash against the SolarWinds hacks could have a positive effect. The international community has recognized that more needs to be done. The determination to collaborate across international borders and between governments and private companies has increased.