Tag: Orion | blog.L4networks.com

SolarWinds: New strain of backdoor malware found in probe

As reported by our friend at The Register here

Another form of malware has been spotted on servers backdoored in the SolarWinds’ Orion fiasco.

The strain, identified as SUNSHUTTLE by FireEye, is a second-stage backdoor written in Go which uses HTTPS to communicate with a command-and-control server for data exfiltration, adding new code as needed. Someone based in the US, perhaps at an infected organization, uploaded the malware to a public malware repository in August last year for analysis, well before the cyber-spying campaign became public.

Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, warned it could take 18 months to clean up this mess, and that’s looking increasingly likely.

Facts about the SolarWinds Hack & Related Breaches

Firstly, L4 Networks does not use Solarwinds for remote access as many MSPs (Managed Service Providers) do. We long ago thought it was too insecure and felt the company’s security was very poorly managed.

Solarwinds Orion requires a windows server to run which many provision use a cloud service. Orion is Solarwinds’ bundle of the company’s network security products.

Security Researcher Reveals SolarWinds’ Update Server Was ‘Secured’ With The Password ‘solarwinds123

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.

One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.

Others – including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress – noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

The firm has long mooted the idea of spin-off of its managed service provider business and on Dec. 9 announced that Thompson would be replaced by Sudhakar Ramakrishna, the former chief executive of Pulse Secure. Three weeks ago, SolarWinds posted a job ad seeking a new vice president for security; the position is still listed as open. Source: Reuters
CISA [DHS Cybersecurity and Infrastructure Security Agency] issued an advisory & directives. They advised customers to power-down SolarWinds software. They also were victims. See: CISA Emergency Directive 21-01

SolarWinds advised customers to disable anti-malware when installing their products. “Orion Install/Upgrade/Migration – TIPS: Before you start…Disable Anti-Virus or any other scanning software if applicable.” See https://support.solarwinds.com/SuccessCenter/s/article/Orion-Install-Upgrade-Migration-TIPS-Before-you-start?language=en_US. But it gets worse. They wanted you to leave it off. The document is behind their support “pay wall” but a reference to it can be seen here:

Security Team is asking me why SolarWinds recommends excluding certain directories from av scanning.

I was asked why does C:\Program Files (x86)\Microsoft SQL Server\ need to be excluded from av scans on the app server. I was also asked whether it would be ok to exclude just the solarwinds subdirectory in the NTA directory. So my NTA data is on f:\programdata\solarwinds subdirectory and I was asked whether we can exclude the scanning on f:\programdata\solarwinds subdirectory instead. I originally asked to exclude the whole f:\ directory from av scanning but this isn’t the safest option. As I keep reading the list of directories to exclude it looks like I need the whole f:\ excluded.

What are your thoughts???

***The directories to exclude were listed on Antivirus directory exclusions for NPM – SolarWinds Worldwide, LLC. Help and Support ***

Source: https://thwack.solarwinds.com/t5/Announcements-Discussions/SolarWinds-AntiVirus-Exclusions/m-p/303243

[Comment: Never do this for any install and never leave it off. Such stupid advice from SolarWinds! ]

SolarWinds finally revoked the digital certificates for their RMM (Remote Monitoring and Management) and PSA (Professional Services Automation ) software tools. They did this but also claimed there was no evidence these were vulnerable, something we find not credible given how poor the company’s security practices were. In fact many MSPs that use SolarWinds have installed trial versions of the Orion software which contained vulnerabilities.

FireEye reported on 13 December 2020 that the digital certificates were compromised as part this attack which they dubbed Sunburst. FireEye was also a victim.

Executive Summary

We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
The campaign is widespread, affecting public and private organizations around the world.
FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.

Summary

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

FireEye’s report indicated that the malware communicated with avsvmcloud. This domain has been seized by Microsoft.

The seized domain has been turned into a killswitch to prevent the SolarWinds hackers to escalate infections and make new victims.

Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack…The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company’s Orion app….Even if the SolarWinds hack became public on Sunday, the SUNBURST operators still had the ability to deploy additional malware payloads on the networks of companies that failed to update their Orion apps and still have the SUNBURST malware installed on their networks.

Currently, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all the systems where the trojanized SolarWinds app has been installed.

This technique, known as sinkholing, is allowing Microsoft and its partners to build a list of all infected victims, which the organizations plan to use to notify all affected companies and government agencies. Source: ZDNET

..stay tuned for updates