US CISA released an advisory on current activity in which it is explained that a threat actor is actively exploiting SolarWinds platforms to access networks and systems. Noteworthy, US DHS released the Emergency Directive 21-1 requiring US Federal Agencies to take immediate steps to identify the instances of SolarWinds products running on federal networks. Furthermor determine whether they are among the known vulnerable versions, and to mitigate the SolarWinds vulnerability and its potential for compromise.
The journalist Brian Krebs further specified that many US agencies, including the Pentagon, the NSA and the US Dept of Treasury, as well as more than 425 of the top US fortune 500 companies are among the victims.
The vulnerable versions, 2019.4 HF 5 to 2020.2.1 HF 1, released between March and June 2020, includes a file that contains a backdoor called SUNBURST. This trojan communicates with its C2 servers over HTTP.
Currently and until SolarWinds deploys a fix, the only known way to prevent further compromise is to disconnect the affected devices.
Listen to Bloomberg Radio Interview: “Hackers ‘Unfairly’ Turned to Commercial Targets”
Ondrej Krehel, Founder and CEO of LIFARS LLC, a leader in cybersecurity services, discusses the massive SolarWinds hack, and how to be vigilant.
As a network management system often has extended access to the networks and systems, the exploitation of the SolarWinds products poses critical risk to affected organizations and requires emergency action. The first step is to determine whether the system or systems with a SolarWinds product are affected. This document provides a brief guidance on how to check whether the SolarWinds system is among the affected version, and if so, to determine whether any exploitation occurred.
Check Your System or Systems for SolarWinds vulnerability
STEP 0: AFFECTED VERSIONS
The affected versions are SolarWinds 2019.4 HF 5 to 2020.2.1 HF1, released between March 2020 and June 2020.
To check which version is installed on your server, SolarWinds provided the following instructions.
DETERMINE THE INSTALLED VERSION FROM THE ORION WEB CONSOLE
All product versions are displayed in the footer of the Orion Web Console login page.
DETERMINE THE INSTALLED VERSION FROM THE SERVER CONTROL PANEL
- The product versions are also displayed in your system’s Control Panel.
- Open the Control Panel, go to Programs > Programs and Features.
Scroll down to SolarWinds. The number of entries will vary depending on how many products are installed.
The products and versions are listed as below:
Some versions may include information about any hotfixes installed.
STEP 1: CHECK FILES AND HASHES
The presence of any of the following files indicates that a trojanized version of SolarWinds is installed.
1.
File Name: SolarWinds.Orion.Core.BusinessLayer.dll
File Hash (MD5): b91ce2fa41029f6955bff20079468448
2.
File Path and Name: C:\WINDOWS\SysWOW64\netsetupsvc.dll
SEARCH FOR FILE – COMMAND LINE
Run “cmd.exe” as an administrator. Type:
cd \ dir SolarWinds.Orion.Core.BusinessLayer.dll /s dir netsetupsvc.dll /s
This latter is suspicious if it is present in the directory “C:\WINDOWS\SysWOW64\”.
SEARCH FOR A FILE – GUI
To find a file on a disk, quickest solution is to use “Search… ” bar from Start menu.
Note that in the example, a file was found in its standard location (C:\Windows\System32), not in the one used by the threat actor, C:\WINDOWS\SysWOW64.
Alternatively, open Windows Explorer and in the “Search…” field, type “filename:”
In the dialog box, click “This PC” on the left to make sure the search is performed on all drives and folders, or repeat the search on every drive attached to the system.
GET FILE HASH
In case that the file “SolarWinds.Orion.Core.BusinessLayer.dll” is present on the system,calculate its hash. Run PowerShell and execute following commands:
Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm MD5 Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm SHA256
If these files are present and their hash matches a value published, the SolarWinds instance is part of the versions known to have the Trojan file.
ADDITIONAL FILES
FireEye identified additional files related to the attack. The hashes are provided in the Table below.
SHA256 | MD5 | FILENAME | Malware Family | Role |
d0d626deb3f 9484e649294 a8dfa814c55 68f846d5aa0 2d4cdad5d04 1a29d5600 | 02af7cec58b 9a5da1c542b 5a32151ba1 | CORE-2019.4.5220 .20574- SolarWinds-Core- v2019.4.5220- Hotfix5.msp | SUNBURST | Installer |
53f8dfc6516 9ccda021b72 a62e0c22a4d b7c4077f002 fa742717d41 b3c40f2c7 | 08e35543d61 10ed11fdf55 8bb093d401 | “Solarwinds Worl dwide, LLC “ | Code Signing Certificate, Legitimate SolarWinds code-signing certificate | |
019085a76ba 7126fff2277 0d71bd901c3 25fc68ac55a a743327984e 89f4b0134 | 2c4a910a129 9cdae2a4e55 988a2f102e | SolarWinds.Orion .Core.BusinessLa yer.dll | SUNBURST | backdoor |
ce77d116a07 4dab7a22a0f d4f2c1ab475 f16eec42e1d ed3c0b0aa82 11fe858d6 | 846e27a652a 5e1bfbd0ddd 38a16dc865 | SolarWinds.Orion .Core.BusinessLa yer.dll | SUNBURST | backdoor |
32519b85c0b 422e4656de6 e6c41878e95 fd95026267d aab4215ee59 c107d6c77 | b91ce2fa410 29f6955bff2 0079468448 | SolarWinds.Orion .Core.BusinessLa yer.dll | SUNBURST | backdoor |
292327e5c94 afa352cc5a0 2ca273df543 f2020d0e763 68ff96c84f4 e90778712 | 4f2eb62fa52 9c0283b28d0 5ddd311fae | OrionImprovement BusinessLayer.2. cs | SUNBURST | Decompiled and corrected source code for SUNBURST |
c15abaf51e7 8ca56c03765 22d699c9782 17bf041a3bd 3c71d09193e fa5717c71 | 56ceb6d0011 d87b6e4d702 3d7ef85676 | app_web_logoimag ehandler.ashx.b6 031896.dll | SUPERNOVA | Webshell |
CHECK FOR NETWORK IOCS
If a network monitoring solution (NMS) is present or similar logs exist, the following DNS and IP indicators may be used to perform a threat hunt. Any of these observed likely indicates that the network has been compromised.
Associated Malware | DNS Record Type | FQDN | IP | Target | First Seen | Last Seen |
SUNBURST | CNAME | 6a57jk2ba1d9keg15cbg.appsync- api.eu-west-1.avsvmcloud[.]com | freescanonline [.]com | 2020-06-13 09:20:41 | 2020-06-13 09:20:41 | |
SUNBURST | CNAME | 7sbvaemscs0mc925tb99.appsync -api.us-west-2.avsvmcloud[.]com | deftsecurity [.]com | 2020-06-11 22:37:33 | 2020-06-11 22:37:33 | |
SUNBURST | CNAME | gq1h856599gqh538acqn.appsync -api.us-west-2.avsvmcloud[.]com | freescanonline [.]com | 2020-06-13 08:48:40 | 2020-06-13 08:48:41 | |
SUNBURST | CNAME | ihvpgv9psvq02ffo77et.appsync- api.us-east-2.avsvmcloud[.]com | thedoccloud [.]com | 2020-06-20 02:54:06 | 2020-06-20 02:54:06 | |
SUNBURST | CNAME | k5kcubuassl3alrf7gm3.appsync- api.eu-west-1.avsvmcloud[.]com | thedoccloud [.]com | 2020-07-22 17:15:57 | 2020-07-22 17:15:58 | |
SUNBURST | CNAME | mhdosoksaccf9sni9icp.appsync- api.eu-west-1.avsvmcloud[.]com | thedoccloud [.]com | 2020-07-23 18:43:00 | 2020-07-23 18:43:00 | |
SUNBURST | A | deftsecurity[.]com | 13.59.205.66 | 2020-02-14 03:47:49 | 2020-12-13 19:28:44 | |
SUNBURST | A | freescanonline[.]com | 54.193.127.66 | 2020-02-11 11:00:04 | 2020-12-13 19:25:56 | |
SUNBURST | A | thedoccloud[.]com | 54.215.192.52 | 2020-02-09 20:03:38 | 2020-12-10 03:24:23 | |
SUNBURST | A | websitetheme[.]com | 34.203.203.23 | 2020-02-04 16:27:45 | 2020-06-25 23:58:55 | |
SUNBURST | A | highdatabase[.]com | 139.99.115.204 | 2019-12-28 00:07:06 | 2020-12-06 03:51:20 | |
BEACON | A | incomeupdate[.]com | 5.252.177.25 | 10/4/19 17:57 | 10/1/20 18:45 | |
A | databasegalore[.]com | 5.252.177.21 | 3/12/20 10:49 | 12/13/20 21:23 | ||
A | panhardware[.]com | 204.188.205.176 | 3/11/20 15:32 | 12/13/20 21:23 | ||
A | zupertech[.]com | 51.89.125.18 | 5/14/20 3:09 | 12/13/20 21:31 | ||
A | zupertech[.]com | 167.114.213.199 | 8/18/16 13:06 | 11/12/17 16:23 |
References
US DHS Emergency Directive 21-1
Brian Krebs: U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
Determine which version of a SolarWinds Orion product you have installed