Swift new developments have continued to pour out on the SolarWinds breach. Under normal circumstances it is difficult to keep up to date on the news and especially so with a story that continues to grow. Nevertheless, the Threat Lab team at WatchGuard has been keeping an eye out on the latest updates. Beyond the major players such as FireEye, Microsoft, CISA, and SolarWinds, there have been a plethora of other companies and researchers eager to understand and publish their findings. Understandably, there are still some aspects of the breach that remain unknown. The research released so far has painted a vivid picture of how the attackers created one of the largest supply chain attacks in history. Remarkably, the initial story on the Sunburst backdoor by FireEye was not the only exploit that SolarWinds faced. Since then, there have been two separate malware strains identified. We break this down in several of the following sections.
FireEye Initial Release on Sunburst Malware and Teardrop Loader
On December 13th, 2020 FireEye released a report on a SolarWinds supply chain attack. Unbeknownst to SolarWinds, attackers had implanted a Trojan backdoor into the Orion software update code. Orion is a platform that hosts a suite of tools for monitoring IT infrastructure. Customers who updated their Orion Platform software between late February 2020 and June 2020 became a potential victim of the malware referred to as Sunburst. The attackers then used a second-stage payload, Teardrop, on organizations they considered high-value targets. The Teardrop malware then loaded Cobalt Strike, a hacking toolkit designed for security professionals but that has since grown in popularity and use by malicious actors.
Victims and Targets
Last month SolarWinds disclosed the impact of the breach. Upward of 18,000 SolarWinds customers downloaded the compromised Orion update. Major companies and United States agencies were among those. A few to note: Department of Homeland Security, Department of State, Department of Justice, Microsoft, FireEye, Cisco Systems, and VMware. It became clear that the attacker was seeking high-value targets for espionage.
Threat Actor
Advanced Persistent Threat (APT) actor, APT29, is considered the prime suspect in the SolarWinds breach. The significant effort put into evading detection as well as a strong understanding of SolarWinds infrastructure have led researchers to speculate that this attack was the work of a foreign government. Specifically, APT29 as their activities have been closely linked to Russian security agencies. Their actions have been attributed to many notable attacks such as the attacks on the Democratic National Committee in 2017 and the recent attempt to steal Covid-19 vaccine data in multiple countries.
C2 Domains
Responding with a quick turnaround after the breach announcement, Microsoft had the Command & Control (C2) server, avsvmcloud[.]com, transferred to them from GoDaddy. This domain communicated with the malware installed on the customers devices. Microsoft used this domain as a sinkhole where any infected devices of compromised SolarWinds customers would be identified based on their attempt to reach the C2 domain. An additional twenty or so domains were associated with Sunburst.
Government Agency Notices
While Microsoft acted on the C2 domains, multiple US security agencies began to publish updates and remediation steps for anyone affected by the breach. The Cybersecurity and Infrastructure Security Agency (CISA) published Alert AA20-352A on the details of the breach and have continued to update the page as new developments arrived. Additionally, CISA released mitigation steps with their Emergency Directive 21-01, and a companion alert, Alert AA21-008A, detailing how to detect threat activity in Microsoft 365 and Azure cloud environment. Among other publications was an advisory from the National Security Agency (NSA), and a joint statement from four US security agencies denouncing the attack by an APT group of Russian origins.
Supernova
In a continuation of new SolarWinds findings, researchers discovered an in-memory .NET webshell exploit named Supernova in SolarWinds Orion software. This time it came from a different threat actor. Distinctive choices on how the malware was deployed set it apart from the Sunburst supply chain attack. The differences in technique led researchers to consider involvement by second APT group, even though both took sophisticated measures to evade detection. Like the supply chain attack, the actions taken by the malware showed an understanding of the Orion software and knew how to remain hidden. The shell compiled and executed in memory which allowed it to run a .NET API in the binary. Multiple organizations documented this exploit such as Unit 42 blog at Palo Alto Networks and Volexity.
JetBrains
News broke by The New York Times that TeamCity software, a product of JetBrains, may have been used as a vector for the attackers to gain access to SolarWinds. This announcement came as a surprise to the JetBrains CEO, Maxim Shafirov, who published an update that they had not been aware of any compromise in their software. JetBrains is based in Russia which has led some to believe this was the origin of the accusation. This simply isn’t deserving of an accusation, especially since JetBrains is a well-regarded company and used among the largest tech companies in the world. TeamCity software should not be considered compromised until credible evidence is provided.
Sunspot Implant and Raindrop Loader
Discoveries abound! Crowdstrike published their findings on a third malware related to the supply chain attack. This malware was found in the SolarWinds build server. Sunspot would track build commands and replace the source code before compilation with files containing Sunburst malware. The malware-laden Orion software then moved from the development stage to production where customers would download the update. Symantec discovered a fourth malware in connection to the supply chain. Going by the name Raindrop, it had many similar qualities to Teardrop, such as that it acted as loader for a Cobalt Strike payload. There are differences between Teardrop and Raindrop, most significant is the unknown origins with how Raindrop landed on the victim machines. Teardrop delivery was more clear-cut as it was deployed from Sunburst.
SolarWinds has yet to determine how the initial malware entered on their infrastructure. With tech heavyweights such as Microsoft, Crowdstrike, and FireEye, researching this attack we can expect to learn more. Microsoft published an in-depth article just last week. Additionally, former CISA director Chris Krebs’ new consultancy group, Krebs Stamos Group, has been hired to consult. The real question is, who will be the first to cash-in publishing a book on this extraordinary supply chain attack?