Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green SolarWinds Breach Used to Infiltrate Customer Networks (Solarigate), (Mon, Dec 14th)

SolarWinds Breach Used to Infiltrate Customer Networks (Solarigate), (Mon, Dec 14th)

SANS Internet Storm Center, InfoCON: green 2020-12-13

[This is a developing story and will likely be updated as we learn more details. We are preparing a webcast for Monday evening ET]

SolarWinds today announced that a vulnerability in its product was apparently used to breach multiple high profile organizations, including FireEye[1]. 

FireEye released news of a breach last week but was very quiet about the nature of the compromise.

According to SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things.

What you should do at this point:

  1. Verify if you are running SolarWinds Orion and if so, assert which networks are managed by it (likely all or most of your network)
  2. Get in touch with SolarWinds ASAP to learn how to detect a compromise. Right now, we do not have any IoCs (but will publish them as we learn more)
  3. Microsoft apparently published a blog post for its APT Defender customers with some IoCs [2]
  4. Carefully monitor your SolarWinds Orion installs for unusual behavior.
  5. As of Sunday morning, Microsoft Defender will detect related malware as "Solarigate" [5]

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

IOCs from Microsoft's report:

  • several malicious DLLs where identified
    • Sha256: 32519685c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 Sha1: 76640508b1e7759e548771a5359eaed353bf1eec File Size: 1011032 bytes File Version: 2019.4.5200.9083 Date first seen: March 2020
    • Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c File Size: 1028072 bytes File Version: 20202.100.12219 Date first seen: March 2020
    • Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed Sha1: e257236206e99f5a5c62035c9c59c57206728b28 File Size: 1026024 bytes File Version: 2020.2.100.11831 Date first seen: March 2020
    • Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387 File Size: 1026024 bytes File Version: not available Date first seen: March 2020
    • Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 
  • the malicious DLLs connect to infrastructure using the avsvmcloud.com domain. 

[1] https://twitter.com/razhael/status/1338267165221396480/photo/1 [2] https://twitter.com/cyb3rco0kie/status/1338276872333889537?s=21 [3] https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818 [4] https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832 [5] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132

--- Johannes B. Ullrich, Ph.D. Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.