fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

The SolarWinds Cyberattack: The Hack, The Victims, And What We Know

The SolarWinds Cyberattack: The Hack, The Victims, And What We Know

Since the SolarWinds supply chain attack was disclosed last Sunday, there has been a whirlwind of news, technical details, and analysis released about the hack.

Because the amount of information that was released in such a short time is definitely overwhelming, we have published this as a roundup of this week’s SolarWinds news.

The information is distilled into a format that will hopefully explain the attack, who its victims are, and what we know to this point.

The SolarWinds supply chain attack

While we learned of SolarWind’s attack on December 13th, the first disclosure of its consequence was made on December 8th when leading cybersecurity firm FireEye revealed that it was hacked by a nation-state APT group. As part of this attack, the threat actors stole Red Team assessment tools that FireEye uses to probe its customers’ security.

It was not known how the hackers gained access to FireEye’s network until Sunday, December 13th, 2020, when MicrosoftFireEyeSolarWinds, and the U.S. government issued a coordinated report that SolarWinds had been hacked by state-sponsored threat actors believed to be part of the Russian S.V.R.

One of SolarWinds’ customers who was breached in this attack is FireEye.

As part of the attack, the threat actors gained access to the SolarWinds Orion build system and added a backdoor to the legitimate SolarWinds.Orion.Core.BusinessLayer.dll DLL file. This DLL was then distributed to SolarWinds customers in a supply chain attack via an automatic update platform used to push out new software updates.

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

SolarWinds supply chain attack
Source: Microsoft

This DLL backdoor is known as SunBurst (FireEye) or Solarigate (Microsoft, and is loaded by the SolarWinds.BusinessLayerHost.exe program. Once loaded, it will connect back to the remote command & control server at a subdomain of avsvmcloud[.]com to receive “jobs,” or tasks, to execute on the infected computer.

The backdoor’s command control server’s DNS name is created utilizing a domain generation algorithm (DGA) to create an encoded subdomain of avsvmcloud[.]com. FireEye states that the subdomain is created by “concatenating a victim userId with a reversible encoding of the victims local machine domain name,” and then hashed. For example, a subdomain used in this attack is ‘1btcr12b62me0buden60ceudo1uv2f0i.appsync-api.us-east-2[.]avsvmcloud.com.’

It is unknown what tasks were executed, but it could be anything from giving remote access to the threat actors, downloading and installing further malware, or stealing data.

Microsoft published a technical writeup on Friday for those interested in the technical aspects of the SunBurst backdoor.

report by Kim Zetter released Friday night indicates that the threat actors may have performed a dry run of the distribution method as early as October 2019. During this dry run, the DLL was distributed without the malicious SunBurst backdoor.

After the threat actors began distributing the backdoor in March 2020, researchers believe that the attackers have been silently sitting in some of the compromised networks for months while harvesting information or performing other malicious activity.

Zetter’s report stated that FireEye eventually detected they were hacked after the threat actors registered a device to the company’s multi-factor authentication (MFA) system using stolen credentials. After the system alerted the employee and the security team of this unknown device, FireEye realized that they had been compromised.

The hackers behind the SolarWinds attack

FireEye is currently tracking the threat actor behind this campaign as UNC2452, while Washington-based cybersecurity firm Volexity has linked this activity to a threat actor it tracks under the Dark Halo moniker.

Volexity says that Dark Halo actors have coordinated malicious campaigns between late 2019 and July 2020, targeting and successfully compromising the same US-based think tank three times in a row.

“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years,” the company said.

In the second attack, after being cast out from the victim’s network, Dark Halo leveraged a newly disclosed Microsoft Exchange server bug that helped them to circumvent Duo multi-factor authentication (MFA)  defenses for unauthorized email access via the Outlook Web App (OWA) service.

During the third attack targeting the same think tank, the threat actor used the SolarWinds supply chain attack to deploy the same backdoor Dark Halo used to breach FireEye’s networks and several U.S. government agencies.

Unconfirmed media reports have also cited sources linking the attacks to APT29 (aka Cozy Bear), a state-sponsored hacking group associated with the Russian Foreign Intelligence Service (SVR).

Researchers, including FireEye, Microsoft, or Volexity, have not attributed these attacks to APT29 at this time.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

The Russian Embassy in the USA reacted [12] to these media reports saying that they were an “unfounded attempt of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies.”

Russia does not conduct offensive operations in the cyber domain,” the Embassy added.

While Russia continues to deny these attacks, Secretary of State Mike Pompeo stated in an interview released Friday night that it is “pretty clear” that Russia was behind that attack.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo told radio host Mark Levin.

The victims of the attack

Researchers believe that the malicious DLL was pushed out to approximately 18,000 customers as part of this attack. The threat actors, though, only targeted organizations that they perceived as ‘high value,’ so even though some of these customers may have received the DLL, it is unknown if they were actively targeted in further attacks.

The currently known list of organizations that were hit by the SolarWinds supply chain attack include:

Microsoft has also identified and notified more than 40 of its customers affected by this attack but has not disclosed their names. They state that 80% of the victims were from the U.S., and 44% were in the IT sector.

SunBurst victims by sector

Based on the decoding of subdomains generated by the malware domain generation algorithm (DGA), many well-known companies may disclose targeted attacks at a later date.

Decoded backdoor command & control server subdomains
Source: RedDrip Team

What are security firms doing to protect victims

Since the cyberattack has been disclosed, security firms have been adding the malicious SunBurst backdoor binaries to their detections.

While Microsoft was already detecting and alerting customers of malicious SolarWinds binaries, they were not quarantining them out of concern it could affect an organization’s network management services. On December 16th, at 8:00 AM PST, Microsoft Defender began quarantining detected binaries even if the process is running. 

Microsoft, FireEye, and GoDaddy also collaborated to create a kill switch for the SunBurst backdoor distributed in the SolarWinds hack.

When the malicious binaries attempt to contact the command & control servers, they will perform DNS resolution to get the IP address. If this IP address is part of certain IP ranges, including ones owned by Microsoft, the backdoor will terminate and prevent itself from executing again.

To create the kill switch, GoDaddy created a wildcard DNS resolution so that any subdomain of avsvmcloud[.]com resolves to the IP address 20.140.0.1, which belongs to Microsoft and is on the malware’s blocklist. This wildcard resolution is illustrated by a DNS lookup for a made-up subdomain, as shown below.

Wildcard DNS resolution

As this IP address is part of the malware’s blocklist, when it connects to any subdomain of avsvmcloud[.]com, it will unload and no longer execute.

While this kill switch will disable SunBurst backdoor deployments connecting the command & control servers, FireEye has stated the threat actors may have deployed other backdoors.

“However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SunBurst backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SunBurst,” FireEye warned about the kill switch,” FireEye told BleepingComputer in a statement.

How to check if you were compromised

If you are a user of SolarWinds products, you should immediately consult their advisory and Frequently Asked Questions as it contains necessary information about upgrading to the latest ‘clean’ version of their software.

Microsoft has also published a list of nineteen malicious SolarWinds.Orion.Core.BusinessLayer.dll DLL files spotted in the wild.

This list, shown below, contains a file’s SHA256 hash, the file version, and when it was first seen. 

SHA256File VersionDate first seen
e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d2020.2.100.11713February 2020
a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e22020.2.100.11784March 2020
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c772019.4.5200.9083March 2020
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b2020.2.100.12219March 2020 
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed2020.2.100.11831March 2020
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77Not availableMarch 2020
ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 2019.4.5200.9065 March 2020
b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f6662019.4.5200.9068 March 2020
20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd92019.4.5200.9078 March 2020
0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead65575892019.4.5200.9078 March 2020
cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 2019.4.5200.9083 March 2020
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c2020.4.100.478April 2020
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b01342020.2.5200.12394April 2020
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d62020.2.5300.12432May 2020
2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d2019.4.5200.9078 May 2020
92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b626902020.4.100.751 May 2020
a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2dNot available Not available 
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc2019.4.5200.8890October 2019
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af2019.4.5200.8890October 2019

Finally, security researchers have released various tools that allow you to check if you were compromised or what credentials were stored in your SolarWinds Orion installation.

The source code for both projects is published to GitHub. You are strongly encouraged to review the source code, if available, of any program you plan to run on your network.

Additional reporting by Sergiu Gatlan and Ionut Ilascu.

Update 12/19/20: Added Cisco to the victim list.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us