With the recent news of the SolarWinds security breach circulating the Internet over the course of this past week, many companies have been questioning the security of everyday tools and services they utilize. A recent article from the Wall Street Journal highlighted that most companies, outside of some financial services and technology companies, don’t closely scrutinize the software provided by their vendors and partners. A quoted executive from a security consulting firm said:
“You’re inherently trusting the vendor to have done their own due diligence on the products they are selling you”.
In this blog post I will be happy to highlight how WillowTree proactively views and evaluates security breaches to better protect its clients, stakeholders and underlying organization.
In a world of constant news and information, how does WillowTree stay on top of the most recent security news and breaches?
The answer to that question is quite simple, in the case of our organization we utilize numerous security news channels, IRC chats, Reddit, and other linked information platforms which are compiled and centralized into a single platform called Feedly. Feedly allows us to leverage and utilize an AI called Leo, which can sort and aggregate our “feeds” by filters which narrows down on key indicators such as organization breaches, critical CVEs, vendor releases, system vulnerabilities, new security tooling, etc. With the use of this service, WillowTree is able to take a more proactive approach since we are more quickly able to sort through relevant information as it comes in. This in turn, allows us to perform our due diligence in the case of a security incident and allows us to directly sort news by our organization and client’s security needs.
What is the SolarWinds Breach and how do I protect my organization?
To start off, I will go over the general background of the SolarWinds incident, highlighting the key indicators of compromise (IOCs) in reference to this event, and will be discussing possible remediation techniques an organization can take.
SolarWinds Event Background
This entire breadth of this breach has been said to have been started as early as spring 2020. In turn, during March 2020 the first malicious SolarWinds Orion versions were introduced through the compromise of the Orion software build system (a malicious signed dll) and its goals seem to mainly include but are not limited to sensitive data theft.
This breach is said to have been the work of Nation-state hackers who coordinated these attacks and have most likely been active in compromised networks since then due to the complexity of the attack. This is also given that the first hacked targets were not even discovered until December.
The hacking group behind the SolarWinds supply chain attack currently seem to be focusing their attacks against a large assortment of worldwide targets including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia, and the Middle East.”
FireEye has stated that the trojanized update file is a “standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanizedSolarWinds.Orion.Core.BusinessLayer.dll component.”
A quick search on VirusTotal conducted by SecurityWeek early Monday revealed that the original malicious file (MD5: b91ce2fa41029f6955bff20079468448) was detected as malicious by only 14 of 69 anti-malware engines.
In the event of FireEye’s analysis, it was also found that the backdoor uses blocklists to detect forensic and anti-virus tools via processes, services, and drivers which further adds to the complexity and the fact that this attack was performed by Nation-State hackers.
The ‘SUNBURST’ Backdoor
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWind’s digitally-signed component of the Orion software framework that contains a client backdoor that communicates via HTTP protocol to third party servers (listed below). Security firms are now dubbing the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
Well summarized by FireEye, “After an initial dormant period of up to two weeks, SUNBURST retrieves and executes commands, called “Jobs”, that includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
Indicators of Compromise (IOCs)
For rule-based countermeasures related to this breach please visit FireEye’s Sunburst Countermeasures repository for Snort, Yara, IOC, and ClamAV rules.
What you should also do to check:
- Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
- CISA recommends disconnecting/powering down affected versions of SolarWinds Orion
- A quick check for the following indicators:
- Is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in:
- If so, the malicious version uses this Singer and SingerHash:
- “Signer”: “Solarwinds Worldwide LLC”
- “SignerHash”: “47d92d49e6f7f296260da1af355f941eb25360c4”
- Also the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
- Check for outbound traffic to hostnames in the domains listed above (e.g. review DNS logs)
- Is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in:
Review and Remediation
In the case of the SolarWinds breach, it seems that the attackers are leveraging legitimately signed DLLs and injecting malicious payloads in them to create a backdoor to run executed jobs to pwn machines (which is extremely hard to detect since it is seen as a legitimate dynamic library). With this in mind, to be more proactive in these types of attacks, our security team has put together some different avenues to help protect our organization and clients from similar attacks in the future for both macOS and Windows.
From this review there are multiple avenues our clients and organization can take to better defend from these types of attacks:
Openly scanning for malicious dynamic library (.dll & .dylib) files on company machines:
Better securing dynamic library (.dll & .dylib) files to ensure none on our current machines have a lower likelihood of being breached through security tooling or manual access control.
Crafting alerts to help better track executable activity, critical file modifications, file sharing outside of the organization.
- Elastic SIEM Detections
- Python-based Security Automation Techniques
Better tracking related to network packets to look for an illegitimate activity such as communication outside of the country, network communication during non-business hours, and other file sharing protocols which these breaches commonly utilize (HTTP, FTP, SFTP, SCP, etc.)
In summary, WillowTree takes advantage of cutting edge security software, tooling and automation paired with relevant security news and insights to perform it’s due diligence for both our clients and the organization as a whole. We take our client’s security seriously and believe that keeping our clients notified on only the security incidents of the applications we produce would do a massive disservice to the hard work of our project teams. At the end of the day, the security team here at WillowTree cares most about improving security and circulating knowledge for all, not just internally.
If you’d like to get in touch with our security team to help you evaluate potential risks or conduct a security audit, please don’t hesitate to reach out. Also, don’t forget to have a happy holiday everyone!