The Sunburst Attack- Everything you Need to Know

The Sunburst attack may turn out to be the most serious nation-state espionage campaign in history.

As lots of our customers continue to monitor the threat to Solarwinds and its customers, and ask for our help, we have put together a guide for the easiest ways to tell whether you are affected and detect if you have been hacked.

The Bulletproof SOC is actively monitoring the situation regarding SolarWinds and the Sunburst attack as with all new attacks. We do this to ensure we have a clear understanding of the potential threat to our customers and to build better innovative detection mechanisms, maintaining a prime position to support our customers as a true extension to their team.

Research indicates that SolarWinds was exploited to craft a sophisticated supply-chain attack:

1. SolarWind’s signing server was breached and used to authenticate software updates, which would allow malicious code to be deployed as part of an update.
2. Any SolarWinds customers who updated their software, automatically during the time of the breach would have potentially unknowingly installed malicious backdoor.
3. The backdoor communicates with a malicious server.
4. It seems on the face of it that the hackers were targeted, using information shared via the backdoor created to decide whether or not this organisation is of interest, and decide whether to terminate or proceed in the attack.
5. It has been reported that at this stage the threat actors would laterally move to other assets, either hosted on premises or on cloud.

Note: It is worth also noting that some publications mention that SolarWinds update is not the sole entry point in this campaign.

As a side note the NCSC have released a statement to say:

“This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.”

How to find out if you are affected:

1. Identify if you have a product from the SolarWinds Orion suite versions 2019.4 to 2020.2.1 HF1 inclusive. SolarWinds Orion suite consists of several products – for exact product versions see the SolarWinds advisory.
2. If you are able to, check any internet web proxy, DNS proxy, or firewall logs for connections to the legitimate SolarWinds update site of downloads.solarwinds.com. This may help in identifying possible Orion Suite products. (Note, this will likely identify any SolarWinds products, not just the Orion Suite).
3. If you find any Orion Suite products on your network, then check for a file named SolarWinds.Orion.Core.BusinessLayer.dll, and generate a SHA-256 hash of the file. You can use the Powershell command Get-FileHash to do this. Upload this hash to VirusTotal and check if it is detected as malicious. If it is detected, then you have a copy of SolarWinds that has maliciously added functionality.
4. Check any internet web proxy, DNS proxy or firewall logs for connections to any sub-domain of avsvmcloud[.]com (which is used for command and control by the initial backdoor).
5. Multiple vendors have technical detection rules for the malicious DLL (call SUNBURST). If you have the ability to run these checks, then you should do so.

How Bulletproof’s services could have helped identify the threat.

1. Bulletproof analysts can help identify if you have a product from the SolarWinds Orion suite versions 2019.4 to 2020.2.1 HF1 inclusive. The Bulletproof SOC analyst team can use its multiple sources of information from your environment to detect the changes in local systems, users logging in, strange file drops and new services combined with logs, IDS and HIDS information to help identify proactively if you are affected. We focus on looking for suspicious activity in your environment in order to attempt to detect zero day and new attacks that do not have a prewritten signature, this is made easy by our complete picture of your environment combined with the expert eye of our analysts.
2. Bulletproof’s analysts would check any internet web proxy, DNS proxy, or firewall logs for connections to the legitimate SolarWinds update site of downloads.solarwinds.com, helping to triage the threat and identifying possible Orion Suite products. This information would be combined with our own tools to provide greater context to the analysts reducing the effort for you to investigate and reduce alert fatigue and unnecessary effort from the business.
3. If you find any Orion Suite products on your network, Bulletproof will have the information at its disposal (using our FIM and Process monitoring agent) to check for a file named SolarWinds.Orion.Core.BusinessLayer.dll, we automatically generate a SHA-256 hash of the file so that analysts can check that file against known bad file lists. We would also be on hand to support helping you to use the Powershell command Get-FileHash as required, upload the hash to VirusTotal and check if it is detected as malicious. If it is detected then you have a copy of SolarWinds that has maliciously added functionality, and we would be in place to facilitate a response in line with SANS 6 steps to incident response which we align our runbooks to.
4. Bulletproof analysts are constantly checking any internet web proxy, DNS proxy or firewall logs for connections to any known malicious sub-domain (including specifically in this case avsvmcloud[.]com which is used for command and control by the initial backdoor).
5. Bulletproof has multiple technical detection rules for the malicious DLL (call SUNBURST) and our relevant detection rules have been updated for all our existing customers as a precaution even if they are not affected.

If you are worried that your organisation may have been affected contact the Bulletproof team today, we’re here to help.