Meanwhile, FireEye has found a kill switch, and Microsoft and other vendors are quickly moving to block the Sunburst backdoor used in the attack.
A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week. Researchers said that includes its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism; and, SolarWinds’ deep visibility into customer networks.
That story is unfolding as defenders take action. Microsoft for instance began blocking the versions of SolarWinds updates containing the malicious binary, known as the “Sunburst” backdoor, starting Wednesday; and, FireEye has identified a kill switch for the malware.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained. Microsoft calls the backdoor “Solorigate.”
The backdoor was injected into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers. It beacons out to a command-and-control (C2) domain called avsvmcloud[.]com.
The kill switch, developed by FireEye in collaboration with Microsoft and GoDaddy, will defang new and previous Sunburst infections by disabling any deployments that are still beaconing to the C2.
“We identified a killswitch that would prevent Sunburst from continuing to operate,” a FireEye spokesperson told Threatpost. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”
Compromising a Legitimate Patch
On Monday, SolarWinds confirmed that adversaries (likely nation-state-backed) were able to inject malicious code into normal software updates for the Orion network-management platform. This installed the Sunburst/Solorigate backdoor inside the platform, which the attackers were subsequently able to take advantage of in targeted attacks on the U.S. Departments of Treasury and Commerce, DHS, FireEye and others around the world.
“It’s possible that the bad actors were able to gain access to either the SolarWinds source-code repository or their build pipeline and insert the malicious code,” said Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “We know this because the component that contained the malware was ‘code signed’ with the appropriate SolarWinds certificate. This made the DLL look like a legitimate and safe component for their Orion product. From there, it was bundled into a patch and distributed across thousands of customers.”
In all, SolarWinds said that it pushed out tainted software updates to almost 18,000 government agencies, contractors and enterprises over the course of the incident (between March and June), as Threatpost previously reported.
Also, even though the last push of the trojanized updates happened in June, the malicious updates remained available for download until this week. And Huntress researcher Kyle Hanslovan said that he had seen the malicious DLL still available via various update mechanisms.
“For some time, there were three fully compromised packages still publicly available for download from SolarWinds’ website, but have since been removed after we reported the findings,” according to a Huntress spokesperson.
For its part, SolarWinds has declined to issue any statement other than what it said in a media statement on Sunday: “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.”
SolarWinds: A Perfect Target
Orion is a product with such market dominance that company CEO Kevin Thompson bragged on an October earnings call that “we don’t think anyone else in the market is really even close in terms of the breadth of coverage we have. We manage everyone’s network gear.”
In addition to its overall footprint, perhaps what made SolarWinds the most attractive vector for the attackers however is its sheer reach into customer networks.
“One of the things that made SolarWinds an ideal target was the fact that the software would typically be given access to the full network to be able to do its job,” Marcus Hartwig, manager of security analytics at Vectra, told Threatpost. “Compromising SolarWinds makes sure an attacker does not have to worry about firewalls and other preventative security solutions working against them when performing recon or moving laterally.”
He added, “Additionally, SolarWinds Orion is a network management tool. It knows EVERYTHING on your network. Device, software version, firmware version, applications, etc… so they have a complete inventory – and as such can look at the exploits they have available to them and determine based on the devices that are vulnerable which organizations they will target. Quite frankly, it’s genius as it improves their return.”
Hartwig also noted that the users of SolarWinds are IT/network admins with privileged access accounts. He explained, “So, targeting SolarWinds means getting instant access to the most valuable accounts on the network, which is the key step in any attack succeeding.”
All of this alone would make in an irresistible target for a widespread supply-chain attack, but other alleged security lapses appear to have sealed the deal.
For instance, security researcher Vinoth Kumar told Reuters that he discovered a hard-coded password for access to SolarWinds’ update server last year – the very easy-to-guess “solarwinds123.”
“This could have been done by any attacker, easily,” Kumar told the news service.
Sources also told Reuters that cybercriminals were spotted hawking access to SolarWinds’ infrastructure in underground forums, as far back as 2017. One of the access-dealers, they said, was the notorious Kazakh native known as “fxmsp,” which made headlines last year for hacking McAfee, Symantec and Trend Micro; and who is wanted by the Feds for perpetrating a widespread backdoor operation spanning six continents.
No AV Detection
To boot, a German newspaper flagged the fact that SolarWinds has a support page advising users to disable antivirus scanning for Orion products’ folders in order to avoid issues in the product’s efficacy. It’s not an uncommon practice, but security researchers did note that it make the platform more of a target:
This is nuts. Solarwinds had a support page (now removed) advising users to DISABLE antivirus scanning for Orion products’ folders. pic.twitter.com/ptUKR4zQ8d
— Costin Raiu (@craiu) December 16, 2020
“There are sometimes legitimate reasons to whitelist some paths, such as for instance when working with malware or when using some remote access tools that may have dual use,” Kaspersky researcher Costin Raiu told Threatpost. “However, it is a terrible practice to whitelist or skip scanning folders in Program Files or Common Files, where applications running on the system reside, especially if they have self-updating functionality. If these are legitimate applications that are not normally detected, then they shouldn’t be whitelisted.”
He added, “Obviously, in the case of a supply-chain attack, such as the one that affected SolarWinds, users might find themselves in a position where the antivirus doesn’t detect the malicious module, even if the antivirus product has been updated to detect it. This is because the application path has been whitelisted. If the attackers deployed something more destructive, such as a wiper or ransomware, even if antivirus products might have detected it heuristically, it would still be allowed to run because the folder is whitelisted.”
Since no security solution detect this supply-chain attack proactively, it is likely that the whitelisting didn’t impact the instant effectiveness of the malware deployment, he added – however, this may impact the ability to disinfect the affected systems, he warned.
Companies: Assess the Damage
For now, researchers said that organizations should take steps to assess whether they are infected with Sunburst/Solorigate; and if so, if they were targeted for further intrusion.
“While not every SolarWinds customer was likely a primary target for this particular activity, that doesn’t mean that additional persistence mechanisms were established en masse, in a way that would affect most or all customers,” Daniel Trauner, director of security, Axonius, told Threatpost. “Disabling any servers running backdoored versions of the product and disconnecting those hosts from your network is smart, but that’s certainly not enough. Organizations should immediately look for evidence of further persistence or lateral movement from those hosts. This applies to those who have already patched as well.”
Further, it should be said that the kill switch only works to prevent Sunburst from being effective — in all probability, the cyberactors have already moved laterally.
“In the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the Sunburst backdoor,” the FireEye spokesperson said. “This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of Sunburst.”
This post was updated at 4:15 p.m. ET on Dec. 16 to include news of the kill switch and multiple quotes from researchers.