Back to Vulnerability

Vulnerability

A malicious Orion update leads to compromise of organizations' networks

In December 2020, FireEye announced the discovery of a highly sophisticated cyber intrusion that affected multiple departments of the US government, including theTreasury Department and the Commerce Department. The actors behind the advanced persistent threat infiltrated the supply chain of SolarWinds, inserting a backdoor into the company’s Orion product. Attackers were then able to get customers to download the Trojan horse installation packages from SolarWinds, which enabled the attackers to access the systems running the Orion platforms. Approximately 18,000 of SolarWind’s 300,000 customers were running vulnerable versions of the Orion platform.

How it happened

After modifying an Orion platform plug-in called SolarWinds.Orion.Core.BusinessLayer.dll, the attackers managed to distribute the security vulnerability as part of Orion platform updates. The trojanized component, known as SUNBURST, is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.

Apart from the originally discovered SUNBURST backdoor, four other distinct pieces of malware were also discovered as elements of the attack chain.

  • SUNSPOT, an initial implant, delivered the SUNBURST backdoor into SolarWinds Orion products.
  • TEARDROP, a post-exploitation, memory-resident dropper, loads directly in memory and does not leave traces on the disk. This was used to deploy BEACON, a payload included with Cobalt Strike.
  • BEACON supports lateral movement across a variety of protocols, and a number of command and control (C2) functions.
  • RAINDROP was recently discovered to have been used to move laterally across networks that were already compromised through SUNBURST.

The attackers were also able to lay low by utilizing the backdoor that used multiple complicated blocklists to identify forensic and antivirus tools running as processes, services, and drivers, giving them the perfect cover.

Mitigating a well-planned cyberattack like this one can be difficult. With ManageEngine Log360, you can monitor and detect suspicious events across your organization's network. Download a 30-day, free trial of Log360 today.

Remediation post-attack

After the discovery of the attack, SolarWinds assured customers that the software builds known to be affected by the SUNBURST vulnerability were removed from their download sites. Customers were also advised to upgrade to the latest version with security patches to protect against SUNBURST.

How ManageEngine can help

Once attackers intrude the network through Orion platform, there are numerous ways to exploit the network. Below are some of the common lateral movement and C2 actions performed during this attack and how ManageEngine Log360, our SIEM solution can help you contain these malicious activities.

Suspicious traffic: Log360 monitors firewall traffic logs in real time and detect compromised hosts by looking for traffic with specific strings in URLs.

Malware threats: Log360 detects malware threats. In the case of SUNBURST, this was the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. By detecting the the loaded DLL immediately, IT administrators can then mitigate the threat quickly.

Malicious processes: Log360 inspects suspicious processes in your network systems for SolarWinds Orion software using Sysmon log analysis and helps stop them.

In this case, once the update is installed from the trojanized update file, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration).

Configure Log360 to detect these processes and associate workflows with the alert profile to automatically stop these processes if they are run by attackers.

Want to learn more on how to perform this on Log360? Contact our product experts.

Malicious DNS requests: Our solution inspects DNS events using Sysmon, detects malicious DNS requests and alerts the IT administrators immediately. In this case, after a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. With Log360, you can configure an alert profile to detect this instance.

C2 communication: Detects the event named piped (a peer-to-peer communication between pipe server and one or more pipe clients) created using Sysmon. This is a server-side function for instantiating a named pipe.

Log360 helps detecting Event ID 17 or 18 which refers to pipe being created under the file name "583da945-62af-10e8-4902-a8f205c72b2e".

Network traffic monitoring: Inspects the process' network connection to the reported IPs. This enables organizations to detect malicious traffic and block them from the network immediately.

Advanced threat analytics: Monitors network traffic to detect and block malicious IPs, domains and URLs through the threat intelligence module.

Lateral movement detection: Detects lateral movement related activities such as credential stealing and command and control communication. This would help organizations put a stop to the attackers looking to move through a network in search of data or assets to exfiltrate and also block their remote access capabilities.

Endpoint protection: Provides endpoint protection to all devices in the network.

Vulnerability scanning: Monitors your network regularly for vulnerabilities and immediately alerts the IT administrators of potential security threats.

Want to know how to configure Log360 to capture and mitigate SolarWinds SUNBURST attack? Ask our product experts.

Recommended actions to prevent intrusions

  • Ensure that only least privileges are applied on all systems and services in your network.
  • Educate users on untrusted websites or sources and the corresponding threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Monitor for high-risk events such as account creations, privilege escalation, new services created, unusual network communications, security-related services disabled, changes to security posture, etc regularly.
+

Stay In The Know

Thank you

You will receive weekly cybersecurity news soon!

  • Please enter a business email id
  •  
  •  
    By clicking 'I'm Interested', you agree to processing of personal data according to the Privacy Policy.

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.