Understanding SolarWinds, Cybersecurity, and Attribution ft. CyberCharles

Solar WInds Hack and Russia Planning Doc

Topics to Discuss
Solar Winds Campaign
Campaign needs to be broken into three segments
Compromise of software supply chain, Solar Winds organization, Orion code
Sunspot malware (Source: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/):
“It was likely built on 2020-02-20 11:40:02, according to the build timestamp found in the binary, which is consistent with the currently assessed StellarParticle supply chain attack timeline.”
“StellarParticle operators maintained the persistence of SUNSPOT by creating a scheduled task set to execute when the host boots.”
“The malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege. This step is a prerequisite for the remainder of SUNSPOT’s execution, which involves reading other processes’ memory.”
“...the malware checks for the presence of a second mutex...This mutex was likely intended to be used by StellarParticle operators to discreetly stop the malware, instead of using a riskier method such as killing the process. Stopping SUNSPOT in the middle of its operation could result in unfinished tampering of the Orion source code, and lead to Orion build errors that SolarWinds developers would investigate, revealing the adversary’s presence…”
“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built.”
“SUNSPOT appends an entry in the log file with the date and time of the backdoor attempt and waits for the MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file. If the Orion solution build is successful, it is backdoored with SUNBURST.”
Persistence using scheduled tasks, triggered at boot time
Use of AES128-CBC to protect the targeted source code files and the backdoored source code file in the binary
Use of RC4 encryption with a hard-coded key to protect the log file entries
Log entries from different executions of the malware that are separated with a hard-coded value 32 78 A5 E7 1A 79 91 AC
Log file creation in the system temp directory C:\Windows\Temp\vmware-vmdmp.log masquerading as a legitimate VMWare log file
Detection of the targeted Visual Studio solution build by reading the virtual memory of MsBuild.exe processes, looking for the targeted solution filename
Access to the remote process arguments made via the remote process’s PEB structure
Replacement of source code files during the build process, before compilation, by replacing file content with another version containing SUNBURST
Insertion of the backdoor code within #pragma statements disabling and restoring warnings, to prevent the backdoor code lines from appearing in build logs
Check of the MD5 hashes of the original source code and of the backdoored source code to ensure the tampering will not cause build errors
Attempt to open a non-existing mutex to detect when the malware operators want the backdoor to stop execution and safely exit
Infection of thousands of Solar Winds customers by malware
Subsequent APT compromises of select organizations
‘According to FireEye, the hackers gained “access to victims via trojanized updates to SolarWinds’ Orion IT monitoring and management software”. Basically, a software update was exploited to install the ‘Sunburst’ malware into Orion, which was then installed by more than 17,000 customers.’

‘Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers. More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.’
Supply-chain compromises
Trojan Malware
Resilience, weak points
“Those unable to update are told to isolate “SolarWinds servers” and it should “include blocking all Internet egress from SolarWinds servers”.:
Cyber-corporate infrastructure, “too big to fail vs. too interwoven to fail”?
“In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.”
“By consolidating identity and access natively in the cloud, tenants relieve themselves from the burden of managing the federation of authentication and the on-premises service, and gain more of the protections that the cloud provider has in place, including system hardening, configuration and monitoring.”
Common practice is for enterprises to move infrastructure into “the cloud” to effectively outsource many functions, including cybersecurity and security configuration.
The issues of locality and territoriality
“The ability of actors to conduct this attack hinges on the initial compromise of customer on-premises systems. Without administrative access to the on-premises identity provider, actors would not be able to generate tokens for use in the cloud. Follow NSA guidance on locking down endpoint systems, beginning with keeping systems patched and software updated [20].”
A common defense measure is to key in on IP addresses in other countries, or from suspiciously distant locales
UNC2452 used VPNs to simulate appropriate login locations and avoid detection.
Multiple Vectors
In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials.”
VMWare Command injection vulnerability
MFA bypass
‘“MFA threat modeling generally doesn’t include a complete system compromise of an OWA server,” Ars’ Dan Goodin wrote. “The level of access the hacker achieved was enough to neuter just about any defense.”’
SAML compromise
“Note that these TTPs (in and of themselves) do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access.”
State of Cybersecurity sector in the US
Impact of SolarWinds hack
“Scope and Impact: It is estimated that 18,000+ organizations that downloaded the trojaned software from SolarWinds were potentially impacted by this event. It is reasonable to assume that enterprises and government organizations will be dealing with the fallout from this for several months, and those who do not have the staff or resources to adequately respond to this type of event may languish in a state of unknown certainty indefinitely.”
Lessons to be drawn?
In many ways, the threat actor behind this campaign bypassed the most common policies and best practices
Two-factor authentication
Code signing
Hybrid network infrastructure, some on-premise some in the cloud
Third-party vendors supplying multiple parts of the network
Large, common enterprise business solutions, such as Office 365
Some cybersecurity breaches are the result of policies (or lack thereof) that can be reformed. In this case, reliance on these kinds of protections are likely to increase in the future
Cybersecurity vendors
Links to industrial and infrastructure security
What the US considers “Critical cyber infrastructure”
Software and Information Technology supply chain