SolarWinds Compromise May Have Begun 5 Months Earlier Than Suspected

Updated on December 23, 2020

On December 17, 2020, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a follow-up alert regarding the SolarWinds/SUNBURST backdoor and compromises, stating, among other things, that such compromises began in at least March 2020. Available Open-Source Intelligence (OSINT) indicates attackers gained access to a software repository and used the access to distribute malware with legitimate updates.

However, research recently compiled by SecurityScorecard’s Investigation & Analysis team indicates that the SUNBURST malware (also referred to as Solarigate) was used as a trojanized backdoor into SolarWinds’ products as early as October 2019 and SolarWinds is still delivering compromised components.

3 key takeaways of SecurityScorecard’s research:

1. The discovery of malicious components as early as October 2019, 5 months earlier than previously identified.
2. As of December 18, 2020, SolarWinds download site is still delivering compromised components as evidenced by the presence of Indicators of Compromise (IOCs) within the most recent updates. See Figure 1.5. (Update: as of December 20, SolarWinds remediated the malicious component from their website)
3. The discovery that other tools also use the library (SolarWinds.Orion.Core.BusinessLayer.dll) that was modified such as the Network Configuration Management tool. SolarWinds has published a list of affected and non-affected products, to the extent that both are known.

The below analysis provides further details regarding this malware and the possible attack vectors.

SolarWinds was compromised as early as October 2019

An Advanced Persistent Threat (APT) actor is suspected to be responsible for the global cyber attack via SolarWinds, a US-based software company, who disclosed via an SEC filing on December 14, 2020, that up to 18,000 customers were running compromised software. SolarWinds’ customers include hundreds of companies in the Fortune 500, top U.S. telecommunications providers, top U.S. accounting firms, hundreds of universities and colleges, and multiple branches and agencies within the U.S. federal government.

The level of sophistication, access, and planning for this operation supports the fact that a nation-state attacker was responsible for this attack. The APT used SolarWinds’ Orion software as a distribution platform to target government agencies and other critical organizations. The attack itself, according to the analysis of specific components involved, indicates that the attackers made use of DLL injection techniques for stealth and persistence. Malicious binaries disguised as a DLL library [SolarWinds.Orion.Core.BusinessLayer.dll], were deployed as early as October 2019 (and thus 5 months earlier than March 2020 as currently identified).

Fig 1.1 – File Metadata indicating creation time (VirusTotal)

File creation properties for SolarWinds.Orion.Core.BusinessLayer.dll

This would suggest that the attacker conducted an operation lasting more than a year before FireEye’s discovery on December 13, 2020.

SUNBURST is still being distributed by SolarWinds

Alert/Update: As of December 20, 2020, SolarWinds remediated the malicious component from their website.

As of December 18, 2020, SUNBURST continues to appear in several legitimate update packages from SolarWinds that SecurityScorecard could confirm:

• SolarWinds-Core-v2019.4.5220-Hotfix5.msp (Core platform hot-fix)
• NcmInstaller.msi (Network Configuration Management Tool)
• NCM-2020.2.0.6162-NcmInstaller.msi (Network Configuration Management Tool)

Aside from the original hotfix file, there was another MSI installer file named NcmInstaller.msi that belongs to the Network Configuration Management Tool that is downloaded from hxxps://downloads.solarwinds.com/solarwinds/CatalogResources/NCM/2020.2/2020.2.0.6088/NcmInstaller.msi. As of December 18, 2020, this URL is still active serving this installer file with the malicious SUNBURST Trojan (f741c55254a7dd7b1481fa483cef153e885650b4c733eadfabfd3884816075e7).

Figure 1.2 – File METADATA or NCMINSTALLER.msi and SUNBURST Trojan (SolarWinds site and VirusTotal)

Active URL distributed Network Configuration Management Tool

File Creation Date

File bundle details for NcmInstaller.msi (VirusTotal)

Anti-Virus Detection for NcmInstaller.msi(VirusTotal)

In addition, SecurityScorecard ran YARA rules on the DLL file contained within the installer found to be hosted on the SolarWinds site as of December 18, 2020. The analysis indicated that it matched the SUNBURST rules. When SecurityScorecard began to dissect the sample further in the IDA disassembler we were able to locate and confirm the presence of these encoded functions.

YARA rule match on SolarWinds (found in NcmInstaller.msi – SolarWinds.Orion.Core.BusinessLayer.dll) – Analysis by SecurityScorecard

Malicious Function Offset (fnv_xor) – Analysis by SecurityScorecard

SUNBURST utilizes data-gathering functionalities to harvest and transmit compromised information from target networks. This methodology is scalable and supports global espionage programs administered by nation-state attackers to fulfill an objective. In this case, the attackers used the exploitation of third parties within the digital supply chain to reach internal environments of the targets.

Malicious component analysis

Observations of compile-time timestamps can provide valuable insight into when the malware first began to appear. From a threat analysis perspective, tracking variants based on unique properties within the file helps us to understand the genealogy of the modification. Our team did not find any evidence of timestamping of the binaries, which lends further credibility that the campaign may have begun in late 2019. In other public reporting, the March 2020 time-frame was established on the basis of when the components were created. We conducted a similar analysis to determine additional information about this campaign and how it began. Furthermore, what the October 2019 variants share is the below debug compile path, which is another interesting artifact as it is referred to where the code resides on disk. It is unclear if the source code was accessed by the attacker and recompiled with malicious code, or simply patched, however, the presence of a debug path and date stamp indicates the attackers had been modifying components since 2019. SecurityScorecard cannot rule out this possibility, given that the attackers had access to SolarWinds web servers in order to post malicious components.

Figure 1.3 – Debug Artifact: Compiler Path

C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb

In addition, the October 2019 samples share the following unique debug artifact known as a .NET GUID. This GUID value (76db1fee-2b5f-4ee0-a415-ce1c9d530bb3) can be used to pivot to other samples through malware repositories such as VirusTotal, however in this case the value is isolated to the October 2019 variants only. This potentially is the first test set of modified SolarWinds components that the attackers tampered with before deploying it to be part of the wide-scale attack. Furthermore, with additional modified components showing up in January 2020, the operation started well before the March 2020 time-frame first reported. Most of these components first began to appear in the wild (submissions to public repositories) in December 2020 when the compromise was first reported. This is interesting because for more than a year many of these modified versions of SolarWinds Orion DLL libraries remained undetected and unnoticed by many organizations around the world.

Figure 1.4 – SUNBURST implant creation timeline

Reference to some of the known SolarWinds Orion IOCs:

https://gist.github.com/ZephrFish/afb6a9c9eeef5cf37301e13d661e0347

The following is a debug artifact timeline from the SUNBURST Trojan (modified SolarWinds component). We can see in our analysis that there are five different values that indicate three different modified variants, with the earliest being October 2019. This can be used to establish a timeline that the adversary began to modify SolarWinds components back in October 2019 and continued to do so up until May 2020.

Figure 1.5 – Debug compiler artifacts for SolarWinds.Orion.Core.BusinessLayer.dll

Attack on the supply chain

The SolarWinds compromise has highlighted how even entities with the most advanced cyber defense capabilities are vulnerable to exploitation. On December 17, the U.S. National Security Agency issued an advisory describing how certain Microsoft services and products may have been compromised and directed users to lock down their systems. Companies everywhere should continuously monitor the digital assets associated with their supply chains to identify vulnerabilities, attack vectors, and other exploitable conditions that can lead to incidents such as data breaches, ransomware, or other cyber attacks.

The SolarWinds compromise occurred by modifying a legitimate software update package (known as a ‘hotfix’), and attackers then posted the modified software on the official SolarWinds update site. Organizations (i.e., SolarWinds’ customers) that downloaded and installed the hotfix, or other MSI files that referenced the hotfix, would subsequently download and install the infected software package.

This method of supply chain compromise, the breach of an official software update repository, hits at the heart of the trusted distribution process. The attackers compromised some portion of the SolarWinds network to gain access to the software repository and then modified the software update process by adding malicious components which then appeared on their official update website.

Figure 1.6 – Trojanized Installer Details

• Infected Filename: SolarWinds-Core-v2019.4.5220-Hotfix5.msp
• MD5: d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
• URL hosting malware: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp.

The file referenced in Figure 1.6 contains legitimate SolarWinds components, is hosted on the official SolarWinds software update repository, but also includes the SUNBURST backdoor in the form of a malicious DLL.

Figure 1.7 – DLL’s included with malicious SolarWinds update

• Malicious DLL Filename: SolarWinds.Orion.Core.BusinessLayer.dll
• Malicious DLL MD5: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
• Legitimate Certificate Signature: 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed
• Legitimate DLL Filename: SolarWinds.Orion.Core.BusinessLayer.dll.config
• Legitimate DLL MD5: efbec6863f4330dbb702cc43a85a0a7c29d79fde0f7d66eac9a3be43493cab4f

The attackers were able to sign the malicious DLL with a legitimate certificate and legitimate configuration file in order to appear authentic. This technique is fairly advanced and is usually an indication of a sophisticated attacker.

The following are representative illustrations:

Figure 1.8 – HOTFIX DIRECTORY (SecurityScorecard Analysis)

The trojanized SolarWinds file beacons to subdomains of “appsync-api.<region>.avsvmcloud.com”, where <region> can be us-east-1, us-east-2, eu-west-1, and us-west-2. This past week, Microsoft redirected the main domain “avsvmcloud.com” to their sinkhole servers to operate as a “kill switch.” These subdomains are used for the first stage of communication. The second stage of communication is done with the domain or IP address stored by the attackers in the CNAME record of the corresponding subdomain. The following domain names were observed in the CNAME records of the first stage domains:

Figure 1.9 – SUNBURST C2 Domains

• freescanonline[.]com
• deftsecurity[.]com
• thedoccloud[.]com
• websitetheme[.]com
• highdatabase[.]com
• incomeupdate[.]com
• databasegalore[.]com
• panhardware[.]com
• Zupertech[.]com
• Virtualdataserver[.]com
• digitalcollege[.]org

Webshell – SuperNova

Other components involved in the attack also used a .NET webshell component known as SuperNova. This file masqueraded as a legitimate SolarWinds web service handler (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71). The webshell was created 3/24/2020 with the original filename of App_Web_logoimagehandler.ashx.b6031896.dll.

Figure 2 – HTTP query inspection (analysis from SecurityScorecard)

We can track additional variants of this component based on the .NET module ID, in this case there are only two variants in existence. These variants were compiled in March 2020 based on their compile time-stamps.

Figure 2.1 – Unique .NET Module ID for SUPERNOVA (VirusTotal)

Exposed SolarWinds servers

An external network scan reveals a large number of potential IPs that may be running SolarWinds Orion based on exposed services. What this means is that the IP addresses are indicating public-facing SolarWinds servers, which is one way to determine the impact of this attack. Once identified, we fed several of the confirmed IP addresses into our security ratings platform to alert our customers that their vendors may be running an impacted version of SolarWinds.

Below is an illustrative data sampling of the identified IPs in the United States, indicating over 600 unique IPs in total.

Figure 2.2 – Public Facing SolarWinds Servers (Shodan.io)

Discovering victims

Although the subdomains of “appsync-api.<region>.avsvmcloud.com” seem randomly generated and were initially considered to be generated by a Domain Generation Algorithm (DGA), they encode the domain name of the compromised Orion server. The decoding algorithm was provided by the RedDrip team from the Chinese Security Vendor QiAnXin Technology. For example, given the domain s67olf26av187hp6vwonou0be2h.appsync-api.us-west-2.avsvmcloud.com, the decoder extracts from the subdomain “s67olf26av187hp6vwonou0be2h” the domain name “nvidia.com”. In order to collect a list of compromised companies, it is possible to collect domain names contacted by SUNBURST from passive DNS sources and decode their subdomains.

We decoded the list of 1700 subdomains provided by Bambenek Consulting, but we also gathered other domains from Passive DNS sources. Based on the data collected, we put together a partial illustration of the various industries impacted by the SolarWinds compromise:

Figure 2.3 – Partial Industry Victimology for Sunburst Trojan (analysis generated by SecurityScorecard)

Additional Indicators of Compromise

Filenames

• App_Web_logoimagehandler.ashx.b6031896.dll
• NCM-2020.2.0.6162-NcmInstaller.msi
• NcmInstaller.msi

URLs

• hxxps://downloads.solarwinds.com/solarwinds/CatalogResources/NCM/2020.2/2020.2.0.6088/NcmInstaller.msi

MITRE ATT&CK Techniques

• Execution: Scheduled Task / Job
• Persistence: Scheduled Task / Job
• Privilege Escalation: Scheduled Task / Job
• Credential Access: Input Capture
• Discovery: Security Software Discovery
• Collection: Input Capture

About the Author

Ryan Sherstobitoff is a Vice President at SecurityScorecard and head of Cyber Threat Research & Intelligence. He has particular expertise in targeted attacks and advanced persistent threats, and was previously with McAfee Corporation where he led and contributed to nation state threat research and analysis. Ryan has spent over a decade tracking nation state adversaries, collaborating with government and law enforcement agencies around the world. Ryan leads SecurityScorecard’s Threat Intelligence and Investigations & Analysis teams which is responsible for investigating targeted breaches and other high-profile incidents. Ryan can be contacted at [email protected]

Click here to download the entire blog in PDF form.