App DevelopmentWeb Development

Being Proactive in Security: The Case of the SolarWinds Breach

With the recent news of the SolarWinds security breach circulating the Internet over the course of this past week, many companies have been questioning the security of everyday tools and services they utilize. A recent article from the Wall Street Journal highlighted that most companies, outside of some financial services and technology companies, don’t closely scrutinize the software provided by their vendors and partners. A quoted executive from a security consulting firm said:

“You’re inherently trusting the vendor to have done their own due diligence on the products they are selling you”.

In this blog post I will be happy to highlight how WillowTree proactively views and evaluates security breaches to better protect its clients, stakeholders and underlying organization.


In a world of constant news and information, how does WillowTree stay on top of the most recent security news and breaches?

The answer to that question is quite simple, in the case of our organization we utilize numerous security news channels, IRC chats, Reddit, and other linked information platforms which are compiled and centralized into a single platform called Feedly. Feedly allows us to leverage and utilize an AI called Leo, which can sort and aggregate our “feeds” by filters which narrows down on key indicators such as organization breaches, critical CVEs, vendor releases, system vulnerabilities, new security tooling, etc. With the use of this service, WillowTree is able to take a more proactive approach since we are more quickly able to sort through relevant information as it comes in. This in turn, allows us to perform our due diligence in the case of a security incident and allows us to directly sort news by our organization and client’s security needs.


What is the SolarWinds Breach and how do I protect my organization?

To start off, I will go over the general background of the SolarWinds incident, highlighting the key indicators of compromise (IOCs) in reference to this event, and will be discussing possible remediation techniques an organization can take.

SolarWinds Event Background

This entire breadth of this breach has been said to have been started as early as spring 2020. In turn, during March 2020 the first malicious SolarWinds Orion versions were introduced through the compromise of the Orion software build system (a malicious signed dll) and its goals seem to mainly include but are not limited to sensitive data theft.

This breach is said to have been the work of Nation-state hackers who coordinated these attacks and have most likely been active in compromised networks since then due to the complexity of the attack. This is also given that the first hacked targets were not even discovered until December.

The hacking group behind the SolarWinds supply chain attack currently seem to be focusing their attacks against a large assortment of worldwide targets including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia, and the Middle East.”

DLL Information

FireEye has stated that the trojanized update file is a “standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanizedSolarWinds.Orion.Core.BusinessLayer.dll component.”

A quick search on VirusTotal conducted by SecurityWeek early Monday revealed that the original malicious file (MD5: b91ce2fa41029f6955bff20079468448) was detected as malicious by only 14 of 69 anti-malware engines.

In the event of FireEye’s analysis, it was also found that the backdoor uses blocklists to detect forensic and anti-virus tools via processes, services, and drivers which further adds to the complexity and the fact that this attack was performed by Nation-State hackers.

The ‘SUNBURST’ Backdoor

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWind’s digitally-signed component of the Orion software framework that contains a client backdoor that communicates via HTTP protocol to third party servers (listed below). Security firms are now dubbing the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

Well summarized by FireEye, “After an initial dormant period of up to two weeks, SUNBURST retrieves and executes commands, called “Jobs”, that includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

Indicators of Compromise (IOCs)

For rule-based countermeasures related to this breach please visit FireEye’s Sunburst Countermeasures repository for Snort, Yara, IOC, and ClamAV rules.

Domains associated:
avsvmcloud[.]com
zupertech[.]com
panhardware[.]com
databasegalore[.]com
incomeupdate[.]com
highdatabase[.]com
websitetheme[.]com
freescanonline[.]com
virtualdataserver[.]com
deftsecurity[.]com
thedoccloud[.]com
digitalcollege[.]org
globalnetworkissues[.]com
seobundlekit[.]com
virtualwebdata[.]com

Hashes (SHA256):
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b

What you should also do to check:

  1. Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
  2. CISA recommends disconnecting/powering down affected versions of SolarWinds Orion
  3. A quick check for the following indicators:
    • Is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in:
      • {{PROGRAMFILES}}\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
      • {{WINDIR}}\System32\config\systemprofile\AppData\Local\assembly\tmp{{path}}\SolarWinds.Orion.Core.BusinessLayer.dll
    • If so, the malicious version uses this Singer and SingerHash:
      • “Signer”: “Solarwinds Worldwide LLC”
      • “SignerHash”: “47d92d49e6f7f296260da1af355f941eb25360c4”
    • Also the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
    • Check for outbound traffic to hostnames in the domains listed above (e.g. review DNS logs)

Review and Remediation

In the case of the SolarWinds breach, it seems that the attackers are leveraging legitimately signed DLLs and injecting malicious payloads in them to create a backdoor to run executed jobs to pwn machines (which is extremely hard to detect since it is seen as a legitimate dynamic library). With this in mind, to be more proactive in these types of attacks, our security team has put together some different avenues to help protect our organization and clients from similar attacks in the future for both macOS and Windows.

From this review there are multiple avenues our clients and organization can take to better defend from these types of attacks:


divider 600

In summary, WillowTree takes advantage of cutting edge security software, tooling and automation paired with relevant security news and insights to perform it’s due diligence for both our clients and the organization as a whole. We take our client’s security seriously and believe that keeping our clients notified on only the security incidents of the applications we produce would do a massive disservice to the hard work of our project teams. At the end of the day, the security team here at WillowTree cares most about improving security and circulating knowledge for all, not just internally.

If you’d like to get in touch with our security team to help you evaluate potential risks or conduct a security audit, please don’t hesitate to reach out. Also, don’t forget to have a happy holiday everyone!

Want a free security consultation from our experts?

Get in Touch

Security Scanning and Automation in a CI/CD Pipeline: Being Proactive In Security

Exposition How do we make our applications more secure upon release? Over the...

Read the article