On Monday, we detailed a major incident in which the software company SolarWinds had been compromised and used to execute a supply-chain attack on the company’s customers. Since this initial revelation, the scale of the incident has become clearer, and several other incidents have been linked to the threat actor behind this campaign. The attack, as suspected, was widespread and has affected many multiple organisations, although the full impact and repercussions are still unclear. This further information has allowed us to provide further guidance on the impact and mitigation of attacks linked to this campaign.
The campaign shows that the threat actor behind it was advanced in terms of their operational and technical ability and had launched an extraordinarily ambitious campaign on an exceptionally large scale to gain access to high-value networks.
SolarWinds supply IT infrastructure management software to help businesses look after their networks. In a press release issued on 13 December, the firm said it had experienced a “highly sophisticated, manual supply chain attack on SolarWinds Orion Platform”. Software updates released between March and June 2020 were tampered with and malware inserted.
A technical analysis of the campaign was released by US cybersecurity company FireEye who have strongly implied they were themselves a victim of this same campaign.
Scale of the attacks
As the details of the incident initially emerged, the scale of the impact was not known. SolarWinds claims to have over 300,000 clients including some very sensitive US government clients including entities from the military, the US intelligence community and many other departments.
On 14 December 2020, SolarWinds made a Securities Exchange Commision (SEC) filing stating that they believed the number of victims who had downloaded the tainted updates to be less than 18,000. Although this is a fraction of the 300,000 customers, it is a significant number of victims.
An expanded list of possible victims has also now emerged, including The US Department of Commerce's National Telecommunications and Information Administration (NTIA), The Department of Health's National Institutes of Health (NIH), The Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS) and The US Department of State.
Symantec revealed that over 2,000 computers and over 100 of their customers had also been infected, but that their investigations had not yet revealed any further action from the attackers once the initial malware had been downloaded.
Chinese cybersecurity company QiAnXin Technology also generated a list of domains by analysing the attacker infrastructure and Domain Name System (DNS) records. This essentially allowed the “reverse engineering” of a list of potential victims. They discovered nearly a hundred domains of suspected victims including universities, governments, and high-tech companies. Microsoft has also “sinkholed” (diverted and captured) traffic from some of the attacker infrastructure, which will potentially aid in identifying further victims.
Since the initial discovery, multiple security vendors have disclosed details of post-compromise activity which followed the deployment of the malicious Orion update. Microsoft has reported that in some cases the threat actors have compromised domain administrator credentials and created new privileged accounts in order to maintain persistence. Microsoft reported that in some networks the attackers also successfully compromised SAML (Security Assertion Markup Language) token signing certificates, allowing them to impersonate privileged users.
Security vendor Volexity also subsequently linked incidents they dealt with to the same threat actor, which they have called “Dark Halo”.
Two incidents targeted an unnamed think tank in which the attacker remained undetected for “several years,” indicating that this threat actor is long-established. The attackers exploited a vulnerability in the organization’s Microsoft Exchange Control Panel and used a “novel technique” to circumvent Duo multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA). The aims of the attackers were to steal email communications of employees involved in IT, policy and its senior leadership.
Detection and mitigation advice
Our general advice still stands, although we have provided some further advice below as a result of the newly reported post-compromise activity.
Organisations which have run SolarWinds Orion versions from 2019.4 through 2020.2.1 HF1 since 24 March 2020, should treat hosts running this software as compromised and immediately isolate them from their networks until further investigation can be completed. If deployment of the malicious Orion component is confirmed, these hosts should be wiped and rebuilt using the latest verion of Orion (2020.2.1 HF 2). Credentials used with or stored on SolarWinds systems and on this host during this timeframe should also be assumed to have been compromised so should be revoked and reissued.
Following this, the following actions are advised to further investigate:
- Examine hosts running SolarWinds Orion and check for the presence of file “SolarWinds.Orion.Core.BusinessLayer.dll” with the MD5 hash “b91ce2fa41029f6955bff20079468448”. If present, this confirms that the trojanised Orion component was deployed on that host.
- Check for the presence of “C:\WINDOWS\SysWOW64\netsetupsvc.dll" on hosts running SolarWinds Orion. This location has been identified by UK NCSC as a deployment point for second stage payloads in this campaign.
- Alternatively, run Yara rules developed by FireEye on hosts running SolarWinds Orion to detect presence of malicious component.
- Deploy Snort rules developed by FireEye to detect C2 traffic patterns for malicious SolarWinds Orion component.
- Check across the entire network for DNS look-ups and outbound traffic to malicious domains identified by FireEye.
- Deploy Snort rules developed by FireEye to detect BEACON C2 traffic.
- Review activity logs for accounts associated with administration of hosts running SolarWinds Orion for evidence of malicious or anomalous usage.
- Review Window Event logs on Domain Controllers for evidence of Kerberoasting attempts.
- Audit domain privileged user accounts for newly created or undocumented accounts.
- Audit usage of privileged accounts for anomalous behaviour.
- Until the wider impacts of the compromise of SolarWinds is known, consider pausing updates to SolarWinds products and investigating other hosts running SolarWinds products as potentially also compromised.