Light in the Dark: Hunting for SUNBURST

Today, nation-state groups and other adversaries have the resources and expertise to evade detection successfully while also achieving their objectives in secrecy. The SolarWinds Orion incident is our most recent proof that prolonged dwell time allows a threat actor to gain an advantageous foothold in a victim organization. Best practices recommend organizations employ threat hunting to shorten a threat actor’s dwell time and expose these hidden threats.

In December 2020, FireEye revealed the details of a sophisticated threat actor that took advantage of SolarWinds’ Orion Platform to orchestrate a wide-scale supply chain attack and deploy a backdoor we call SUNBURST. This attack impacted organizations worldwide, leading executives to question whether their environment fell victim. Many rushed to quickly identify SolarWinds assets within their environment and determine potential impact. Mandiant Managed Defense customers, however, did not have to play catch up. Those customers were already receiving—and continue to receive—the benefits of our threat hunting service, drawn directly from our incident response experience and built into our MDR service.

Join us here on Feb. 25, 2021, to discuss hunting for SUNBURST and Managed Defense Hunting.

On the same day the attack was publicly announced, we were already working to minimize the impact on our Managed Defense customer base. Working from our first-hand experience, we observed the threat actors’ techniques and quickly moved to identify similar activities within our customers’ environments. This is a natural progression of threat intel leading to actionable direct threat hunting missions daily within our MDR service offerings. Mandiant is on the front lines of incident response around the globe, and our investigative findings quickly make their way into the workflow of our hunting team.

SUNBURST Was Only the Beginning

During the discovery of the SolarWinds breach into FireEye, we gained a detailed look into tactics and techniques utilized by UNC2452. While SolarWinds and SUNBURST malware may have been an entry vector, it was by no means the only evidence of activity we found in customer environments. By all measures, UNC2452 is an unconventional threat actor. Notable techniques included:

• Hid malicious code within thousands of lines of legitimate code, compiled inside of digitally signed binaries.
• Took advantage of a platform (SolarWinds Orion) that required privileged access to the environment and continuously polled the entire digital environment, thus generating significant lateral movement traffic.
• Disabled dozens of endpoint security tools, including FireEye.
• Utilized DNS for Stage 1 and 2 C2 communications.
• Introduced minimal custom malware into the environment post-exploitation, often “living off the land” via native Windows tools to perform reconnaissance, harvest credentials, move laterally, and progress towards their ultimate objectives.

When threat actors utilize techniques that subvert traditional detections and/or disable security software, an organization can feel thrust into the dark. In our experience, threat hunting with deep, first-hand knowledge of how attackers achieve their objectives is the best way to find a light in the darkness. We seek to maintain this perspective daily as we craft our threat hunting missions, looking for evasive attackers hiding in the darkest corners of customers’ networks.

Many of our threat hunting hypotheses begin as high-level techniques, subsequently paired with the activity we see on the front lines. We study attacker activity and take advantage of the telemetry sources available to refine our hypotheses further. Many of our customers have network, endpoint, cloud, and email visibility, which provides valuable data to identify threat actor activity. By leveraging this telemetry, we hone our campaigns, giving us higher fidelity of detection. In turn, this shortens the cycle of detection and response.

To put telemetry and fidelity into perspective, let’s analyze the flow diagram from one of our recent SUNBURST blog posts (Figure 1) and review where our threat hunting team found opportunities for detection.

Figure 1: SolarWinds attack flow diagram

1. Our team crafted hunt campaigns specifically targeted to identify techniques utilized by UNC2452, including but not limited to malicious SolarWinds plugins and known second stage encryption certificates.
2. After uncovering the C2 DNS DGA, we hunted through available network traffic for malicious DNS requests.
3. Our team created hunt missions to identify instances of ancillary malware that UNC2452 may use and campaigns looking for evidence of additional attacker activity. Activity included, but not limited to:
   • Persistence mechanisms, including scheduled tasks
   • Staging directories and executable file writes to those locations
   • Compression software utilized to steal data
   • Encoded and/or obfuscated PowerShell execution
4. A handful of these hunting campaigns were already underway across our Managed Defense base. For example, hunting for encoded and/or obfuscated PowerShell or lateral movement are common attacker techniques. We design regular hunting campaigns against these techniques and honed them using knowledge of UNC2452’s tactics.

A fundamental principle of any good threat hunting campaign is access to a surfeit of high-value telemetry. However, without context or experience of how attackers achieve their objectives, we’d merely be digging through mountains of data, looking for what we already know. By combining front-line experience with the vast sources of global data we have access to, our threat hunting team finds proverbial needles in haystacks. It protects our customers against the threats they didn’t even know were out there.

Please join us for our webinar on Feb. 25, 2021, to learn more about how Managed Defense helped its customers respond to the December 2020 SolarWinds breach.