“They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
This quote from FireEye’s CEO Kevin Mandia reads like a praise speech to the attackers, which have done one of the most sophisticated attack in the past. The quote also show some kind of confession, that none of the fancy IT-Security products, bought with a lot of money, was able to detect and prevent its customers from this sophisticated APT attack.
17.000-plus SolarWind customers are identified as infected by one of the biggest APT attacks (aka Sunburst, aka Solorigate). Just the tip of the iceberg? CISA is already aware of other attack vectors, so the number of affected companies will continue to rise.
CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise. 6
The success of the attack was so huge, the attackers were forced to prioritize which victims are the most valuable.
Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. 6
Nevertheless, the cleanup will take some time and be really challenging.
CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. 6
“We should buckle up. This will be a long ride,” said Dmitri Alperovitch, co-founder and former chief technical officer of the leading cybersecurity firm CrowdStrike. “Cleanup is just phase one.”
Bruce Schneier is a little bit more drastic, he says you have to do a full rebuild of your network, because you will never know for sure if the intruder is completely removed.
The only way to be sure a network is clean is “to burn it down to the ground and rebuild it,” Bruce Schneier said. It’s the only way to be sure an intruder is out.
To protect against this kind of sophisticated attackers, only sophisticated, thoghtful and some kind of creative monitoring really helps. First, you have to know your baseline to be able to look for anomalies, unusual logins or activities which break the baseline. The problem, in companies with a large workforce, you will not be able to monitor every user or system as close as it would be necessary. This is when a risk-based security approach starts to pay out. Which basically means a close monitoring of high value assets (users and systems), and some basic monitoring for the rest.
First, the malware is doing a variety of extensive validations before the backdoor enters its main execution stage. For example it checks for any processes of security-related software and drivers. If any of the checks fail, the backdoor terminates itself.
At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc., effectively providing the attackers with full access to the device, especially since it’s executing from a trusted, signed binary. 1
This means, you can look in your SIEM for suspicious C2 traffic (in your DNS and Firewall logs). FireEye published several DNS requests on Github. Additionally, a list of SUNBURST-generated domain names were shared by John Bambenek also on Github 3. Make sure to do your retro hunting as long back as possible, the malware is idling for about two weeks, before starting any activities.
To avoid detection, attackers renamed Windows administrative tools like adfind.exe which were then used for domain enumeration. […] Lateral movement was observed via PowerShell remote task creation […] allows the attackers to deliver second-stage payloads, which are part of the Cobalt Strike software suite. 1
This is where the fun starts (aka lateral movement). If your usual anti-virus vendor did not detect these kind of suspicious activities, you are in the need of extended client monitoring, which can be done with Sysmon for example. But, I am not aware of any company which does this kind of monitoring on every client. You usual rely on EDR (Endpoint Detection and Response, like Sophos EDR) or APT detection tools (like FireEye HX, MS Defender APT). I would also recommend to have a look at the options of a extended monitoring via group policy settings. It is possible to log every PowerShell execution to the Windows Security Event logs.
Microsoft has also determined that adversaries utilizing the Sunburst Backdoor targeted the Azure AD of victims as part of their lateral movement. This was either done via captured administrative passwords or forged SAML tokens. 5
Monitoring the Azure AD can be a quick-win. Azure AD logs are really easy to add to you SIEM via the REST-API. Search Queries for forged SAML tokens can be found at the recent Splunk blog post about Using Splunk to Detect Sunburst Backdoor. Sunburst IOCs for Splunk Ingest as a bonus.
I try to keep this post updated, I think the next weeks and month will bring some interesting developments.