Skip to main content

SolarWinds Orion Supply-chain Compromise

SolarWinds' widely used Orion IT platform has been the subject of a supply-chain compromise by an unidentified threat actor. The attack appears to have begun in March this year, with the attacker dropping the SUNBURST backdoor on SolarWinds customers around the world.

Threat ID:
CC-3702
Category:
Backdoor
Threat Severity:
High
Threat Vector:
Insecure network
Published:
14 December 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SolarWinds' widely used Orion IT platform has been the subject of a supply-chain compromise by an unidentified threat actor. The attack appears to have begun in March this year, with the attacker dropping the SUNBURST backdoor on SolarWinds customers around the world.

Affected platforms

The following platforms are known to be affected:

SolarWinds Orion Versions: 2019.4 HF 5, 2020.2 (w/o hot fixes), and 2020.2 HF 1

Threat details

Introduction

SolarWinds has announced that they have been the subject of a sophisticated supply-chain compromise affecting their Orion IT monitoring and management platform. The attack appears to have been ongoing since Spring this year, and is assumed to have delivered the SUNBURST backdoor to SolarWinds customers in multiple industries worldwide.

Vulnerable Orion components

SolarWinds has stated that the following Orion platform components are affected by the compromise:

  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • NetFlow Traffic Analyzer (NTA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

SolarWinds compromise

At the time of publication, SolarWinds has only stated that the attack appears to have begun in March 2020, with compromised Orion products being delivered to customers through June. Investigations by both FireEye and Microsoft suggest a highly targeted human-operated attack by a technically proficient threat actor, likely to be a nation-state advanced persistent threat.

The attackers appear to have compromised all parts of SolarWinds' internal Orion environment, allowing them full access to produce, deploy, and manage malicious payloads using SolarWinds infrastructure.

FireEye also reports that the attack on their own systems at the beginning of December was the result of their use of affected Orion software, raising the possibility of the Russian-affiliated APT29 being the perpetrator.

SUNBURST backdoor

SUNBURST (AKA Solorigate) is the tracking name for a trojanized version of the SolarWinds.Orion.Core.BusinessLayer.dll plugin used by all Orion instances. Once delivered, it lays dormant for up to 14 days before retrieving commands from its operators, which include terminating services, transferring or executing files, collecting system information, or rebooting the system.

All SUNBURST instances are digitally-signed using SolarWinds certificates, use the Orion Improvement Program protocol for network traffic, and store extracted data in legitimate Orion plugin files. This makes it exceptionally difficult to detect on affected systems as it is effectively indistinguishable from normal Orion plugin behaviour.

Threat updates

Date Update
24 Mar 2021 SIlverFish sandbox testing

New reports are indicating that one the groups involved in the SolarWinds compromise are using compromised systems as a testing environment for new tools

The group, known as SilverFish, has been observed dropping previously undetected exploits and malware onto systems. They then deploy these tools and extract system information, presumably to examine for flaws or errors in their tools.
21 Jan 2021 Raindrop Cobalt Strike dropper identified

SolarWinds researcher have discovered a fourth tool used in the Orion compromise called Raindrop.

Much like the previous spotted Teardrop implant, Raindrop appears to be used to deliver Cobalt Strike beacons for later use.
12 Jan 2021 SUNSPOT implant

CrowdStrike researchers have discovered a third implant, named SUNSPOT, in the SolarWinds compromise.

SUNSPOT appears to have been deployed in SolarWinds internal development environments so that the attackers may inject SUNBURST into the vulnerable Orion components.

 
11 Jan 2021 SolarWinds investigation results

SolarWinds published new findings from their ongoing investigation of their and their customers networks.

The findings indicate the attackers breached SolarWinds networks as far back as September 2019, spending almost 5 months performing test code injections before first deploying SUNBURST in February 2020.
6 Jan 2021 CISA details password guessing attacks

New findings from the US Cybersecurity and Infrastructure Security Agency (CISA) indicate the SolarWinds attackers used password-guessing and password-spraying attacks to initially gain access to SolarWinds networks.
4 Jan 2021 SUPERNOVA webshell discovered

Researchers from Unit 42 and GuidePoint have discovered a secondary malware, called SUPERNOVA, attempting to exploit the SolarWinds compromise.

SUPERNOVA is a C# webshell that appears to have been created by a separate entity to SUNBURST's creator.
17 Dec 2020 SUNBURST domain seizure

The domain used in SUNBURST's domain generation algorithm to resolve C2 servers has been seized, preventing infections progressing beyond the first stage.

According to Microsoft, they - along with FireEye and GoDaddy - seized the avsvmcloud[.]com domain on December 15th and redirected it to their own infrastructure to act as a killswitch. As a result, all new or existing SUNBURST infections that are still beaconing to avsvmcloud[.]com subdomains will be disabled.

Remediation advice

Affected organisations are required to review SolarWinds security advisory and update to the following Orion versions immediately:

  • 2020.2.1 HF 2 - if using 2020.2 (w/o hotfixes) or 2020.2 HF 1
  • 2019.4 HF 6 - if using 2019.4 HF 5

Additionally, SolarWinds recommends all affected organisations update to the latest Orion release (2020.2.1 HF 2) as this provides additional security enhancements.

Update packages can be found at SolarWinds customer portal.

Organisations are also encouraged to review SolarWinds Orion Platform secure configuration guide and implement the recommendations in order to mitigate any potential SUNBURST exploitation.

Indicators of compromise

Network indicators

IP addresses

  • 131.228.12[.]0/22
  • 144.86.226[.]0/24
  • 20.140.0[.]0/15
  • 224.0.0[.]0/3
  • 96.31.172[.]0/24
  • fc00:: - fe00::
  • fec0:: - ffc0::
  • ff00:: - ff00::

Domains

SUNBURST uses a domain generation algorithm (DGA) to construct and resolve subdomains of avsvmcloud[.]com in order to receive commands. These subdomains are concatenated with one of the following to generate hostnames:

  • .appsync-api.eu-west-1.avsvmcloud[.]com
  • .appsync-api.us-west-2.avsvmcloud[.]com
  • .appsync-api.us-east-1.avsvmcloud[.]com
  • .appsync-api.us-east-2.avsvmcloud[.]com

The following domains are typical of SUNBURST's DGA implementation:

  • 6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
  • 7sbvaemscs0mc925tb99[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
  • gq1h856599gqh538acqn[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
  • ihvpgv9psvq02ffo77et[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com
  • k5kcubuassl3alrf7gm3[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
  • mhdosoksaccf9sni9icp[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com

Resolved domains

  • databasegalore[.]com
  • deftsecurity[.]com
  • digitalcollege[.]org
  • ervsystem[.]com
  • freescanonline[.]com
  • globalnetworkissues[.]com
  • highdatabase[.]com
  • incomeupdate[.]com
  • infinitysoftwares[.]com
  • kubecloud[.]com
  • lcomputers[.]com
  • panhardware[.]com
  • seobundlekit[.]com
  • solartrackingsystem[.]net
  • thedoccloud[.]com
  • virtualdataserver[.]com
  • virtualwebdata[.]com
  • webcodez[.]com
  • websitetheme[.]com
  • zupertech[.]com
Host indicators

SHA256 hashes

  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
  • a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
  • ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
  • c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
  • dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
  • eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
  • 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
  • b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Last edited: 24 March 2021 12:49 pm