Overview of Recent Sunburst Targeted Attacks
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain via a compromised network monitoring program. This post discusses what the Sunburst backdoor is and what you can do now to mitigate this threat.
Update on 12/29/2020 2:40 PM PST: Information on Supernova added
Update on 1/22/2021 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched vulnerabilities in the SolarWinds Orion Platform. CVE-2020-14005, one of these vulnerabilities, has been linked to the recent SUNBURST cyberattack on SolarWinds. These vulnerabilities, when combined, could allow an unauthenticated attacker to execute arbitrary code as Administrator on an affected system.
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain. This was carried out via a compromised version of a network monitoring application called SolarWinds Orion. The attackers used the access provided by this application to plant a backdoor known as Sunburst onto affected machines. This backdoor provided the attacker with complete access to the targeted organization’s network.
What is Sunburst?
Sunburst is a sophisticated backdoor that provides an attacker nearly complete control over an affected system. It has several peculiarities in its behavior, however.
Before it runs, it checks that the process name hash and a registry key have been set to specific values. It will also only run if the execution time is twelve or more days after the system was first infected; it will also only run on systems that have been attached to a domain. This specific set of circumstances makes analysis by researchers more difficult, but it also limits the scope of its victims to some degree.
It connects back to its command-and-control server via various domains, which take the following format:
The subdomain is one of the following strings:
Once in a system, it can both gather information about the affected system and execute various commands. The gathered information includes:
- Domain name
- Network interfaces
- Running processes/services
- Installed drivers
This gathered information is used either to generate a user ID for the affected machine, or to check against blocklists - if certain drivers, processes, or services are found on the machine, the backdoor will cease to function.
The commands that can be executed include:
- Registry operations (read, write, and delete registry keys/entries)
- File operations (read, write, and delete files)
- Run/stop processes
- Reboot the system
What is Supernova?
Supernova, one of the malicious components associated with the attack, is a .NET web shell backdoor that presents itself as a legitimate SolarWinds web service handler. It is a second-stage payload in the attack. Once running, it inspects and responds to HTTP requests with appropriate HTTP query strings, cookies, and HTML form values. It can also execute web shell commands via a specific HTTP request format.
Who is affected?
It is believed that Sunburst was delivered via a trojanized version of the Orion network monitoring application. According to SEC filings by SolarWinds, threat actors inserted the malicious code into otherwise legitimate code, which means anyone who downloaded the software was potentially at risk. This was done as part of the build process; the source code repository was not affected.
According to the SolarWinds SEC filing, this trojanized version was downloaded by under 18,000 customers from March to June of 2020. Once this malicious code is present in a system, it runs the behavior described in the first part of this post. Multiple organizations, including US government agencies, have reported that they were affected by this campaign.
In a security advisory, SolarWinds advised all of their affected customers to immediately update their software to versions that do not contain the malicious code. The advisory also lists the appropriate products and their versions. Our article titled Managing Risk While Your ITSM Is Down includes suggestions on how to manage network monitoring and other IT systems management (ITSM) solutions.
In addition to this, the US Department of Homeland Security, in a directive to US government agencies, ordered that systems with the said software be taken offline and not reconnected to networks until they have been rebuilt. The directive treats agencies to treat said machines as compromised, with credentials used by said machines to be changed as well. Organizations that use SolarWinds Orion within their network may consider similar steps.
The malicious files associated with this attack are already detected by the appropriate Trend Micro products as Backdoor.MSIL.SUNBURST.A and Trojan.MSIL.SUPERNOVA.A. In addition to this, the entirety of the domain avsvmcloud.com has been blocked.
If you believe that your organization may have been affected by this campaign, visit this page for the available Trend Micro solutions that can help detect and mitigate any risks from this campaign.
If you’re a Trend Micro Apex One customer, check your product console for a notification to scan your environment for attack indicators of this campaign.
Indicators of Compromise
The following hashes are associated with this campaign and are detected by Trend Micro products:
|SHA256||SHA1||Trend Micro Detection|
The following domain names are associated with this campaign and are also blocked: