SolarWinds
The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code, Microsoft said on 01 Janaury 2021, something experts said sent a worrying signal about the spies’ ambition. Source code - the underlying set of instructions that run a piece of software or operating system - is typically among a technology company’s most closely guarded secrets.
The SolarWinds breach was the largest and most sophisticated ever discovered, Microsoft’s Brad Smith told CBS 14 February 2021. The network framed the breach as a reckless Russian hack attack that the NSA was unable to spot in time. The multifaceted breach, best-known for the company SolarWinds and its software, affected thousands of government and private computers in the US. It was first made public in December 2020 and was quickly blamed by people in Washington on Moscow. Microsoft was among companies whose electronic credentials were exploited.
Speaking to CBS’s ‘60 Minutes’ program, Microsoft President Brad Smith said that “from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen.” The company tasked 500 software engineers to analyze what had happened. Smith said “certainly more than 1,000” similar specialists were involved in working on the breach itself. “Almost certainly, these attacks are continuing,” he added.
Smith was one of several guests interviewed for the program, which purports to explain how “Russian spies” hacked key departments of the US government and learned their secrets. The experts helped paint a picture of an intelligence operation that was “unprecedented in audacity and scope” and part of an under-the-radar “cyber war” between the US and Russia. Moscow has “outsmarted” the DHS and “circumvented” the NSA, which “gathers intelligence overseas, but is prohibited from surveilling US computer networks,” according to the program.
The full stack wasn't just cloud-based, microservices apps, but includes on-premises and hybrid private cloud infrastructure and packaged applications. The challenges associated with aggregating, analyzing, reporting, and alerting intelligently on logs have become more complex than ever due to the acceleration of packaged and customized application deployment in support of business transformation, alongside the growing requirements needed to ensure security and compliance. SolarWinds eliminates complexity from every IT process imaginable: network operations, resource consolidation, legacy product migration, continuous monitoring, cyber security, even compliance.
On 15 December 2020, SolarWinds confirmed that Orion – its flagship network management software – had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS), CERT issued Emergency Directive 21-01 on December 13, 2020 regarding this issue.
SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.
SUPERNOVA is not malicious code embedded within the builds of our Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product. The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code.
Microsoft Corp said 18 December 2020 it found malicious software in its systems related to an enormous hacking campaign disclosed by officials in the United States this week, adding a top technology target to a growing list of attacked government agencies. The Redmond, Washington-based company is a user of Orion, the widely deployed networking management software from SolarWinds Corp which was used in the suspected Russian attacks on vital US agencies and others.
Early accusations quickly ran to Russia, with US Secretary of State Mike Pompeo saying on 18 December 2020 Russia was "pretty clearly" responsible and US President-elect Joe Biden said his forthcoming administration would consider sanctioning Moscow as punishment. In response, Kremlin spokesperson Dmitry Peskov said Russia had no part in the hacking operations and that the accusations were "unfounded" and the result of "blind Russophobia." Donald Trump, who was "fully briefed" on the matter, said that the attacks were exaggerated by "Fake News Media", alleging that China could have been responsible for the hack, and suggesting alleged election fraud was much of a bigger issue for the United States. "There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA."
In a joint statement on 05 January 2021, several US intelligence agencies announced their conclusion that the hack attack that breached SolarWinds infrastructure monitoring software was Russian in origin and sought to gather information. The statement, issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), said fewere than 10 US government agencies had been compromised by the hacking of SolarWinds' Orion software. According to their statement, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks."
The compromised SolarWinds Orion Platform DLL that led to this sophisticated attack consisted of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.
The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low profile.
In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.
Once loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual enterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers try to evade detection.
With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.
To hunt for similar TTPs used in this attack, a good place to start is to build an inventory of the machines that have SolarWinds Orion components. Organizations might already have a software inventory management system to indicate hosts where the SolarWinds application is installed. Alternatively, Azure Sentinel could be leveraged to run a simple query to gather similar details. Azure Sentinel collects data from multiple different logs that could be used to gather this information.
The Microsoft Threat Intelligence Center (MSTIC) team has already delivered multiple queries into Azure Sentinel that identify similar TTPs and many are also available in M365. These methodologies are not specific to just this threat actor or this attack but have been seen in various attack campaigns.
As many as 18,000 Orion customers downloaded the updates that contained a back door, SolarWinds has said. Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers. But the attackers might have installed additional ways of maintaining access, CISA said, in what some have called the biggest hack in 10 years.
The Kremlin has voiced "alarm" at a report in The New York Times that said the United States was preparing a series of covert counter cyberstrikes on Russian networks. U.S. intelligence officials have said that Russia was probably behind the massive hack known as SolarWinds that hit large swaths of the public and private sectors last year, and which experts say may constitute an ongoing threat. Russia has denied the accusations. White House national-security adviser Jake Sullivan said in February 2021 that Washington would respond to SolarWinds in "weeks, not months."
The March 7 report in the U.S. newspaper quoted unnamed officials as saying that Washington was planning a series of covert counterstrikes on Russian networks in retaliation to the SolarWinds hack, with the first major move expected in three weeks' time. It said the clandestine actions would be intended to be obvious to Russian President Vladimir Putin and his military intelligence, but not to the rest of the world. "This is alarming information," said Kremlin spokesman Dmitry Peskov. "This would be pure international cybercrime."
NEWSLETTER
|
Join the GlobalSecurity.org mailing list |
|
|