Alert - Recommendations for SolarWinds Supply-Chain Compromise - update 1

Number: AL20-031 UPDATE 1
Date: 30 December 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

On 13 December 2020 SolarWinds disclosed recent malicious activity impacting the SolarWinds Orion Platform [1] and affecting high-profile clients including FireEye and the U.S. Government. This activity was enabled by a supply chain compromise of the product carried out by a highly sophisticated threat actor. It is believed that government agencies and a variety of organizations in Canada and abroad may be affected.

UPDATE

On 26 December 2020 the Computer Emergency Response Team Coordination Center (CERT/CC) issued an advisory describing a vulnerability in the SolarWinds Orion application programming interface (API). In addition, the Cyber Centre would like to highlight SolarWinds’ list of Orion versions affected by SUNBURST and SUPERNOVA. Please refer to the SUPERNOVA Backdoor section of this Alert for details.

DETAILS

On 13 December 2020 SolarWinds disclosed a vulnerability in its SolarWinds Orion software that had been linked to detected malicious activity. [1] On the same day, open-source reporting indicated that the U.S. Treasury Department and possible other U.S. Government Departments had been compromised. Cyber security research firm FireEye also reported that it had been compromised. [2]

FireEye reported it had discovered a global intrusion campaign resulting from a supply chain compromise. Through trojanizing SolarWinds Orion Platform software updates, actors were able to distribute malware. This campaign may have begun as early as Spring 2020 and FireEye reports it is currently ongoing. Post-compromise activity leverages multiple techniques to evade detection and obscure malicious actions, including lateral movement and data theft.

As the cyber security community continues to analyze the activity, additional information has been emerging relevant to detection and remediation. The Cyber Centre is publishing this Alert to provide guidance based on our analysis, engagement and further discussions with the Canadian government, industry, and our international partners. Through those engagements the Cyber Center has received reports that Domain Generation Algorithm (DGA) subdomains associated with this activity are unique to each compromise. The Cyber Centre has been working within the community to identify affected systems and notified Canadian system owners where possible. The impact on these compromised systems remains unidentified, but analysis is ongoing.

RECOMMENDATIONS

The SolarWinds Orion vulnerability and associated compromises are far reaching, and it is important that organizations perform thorough analysis of their networks to ensure the malicious actors have been removed from both the initial point of compromise and any systems potentially impacted. The Cyber Centre recommends users of SolarWinds Orion software to follow the Detection and Mitigation steps as provided below to determine potential impact to their networks. The Cyber Centre strongly encourages organizations to follow their own risk-based assessments on remediation and recovery.

DETECTION

Organizations should first identify any systems with compromised SolarWinds Orion software and isolate them from the Internet immediately. SolarWinds has identified the below versions as compromised:

• Platform 2019.4 HF5, version 2019.4.5200.9083;
• Platform 2020.2 RC1, version 2020.2.100.12219;
• Platform 2020.2 RC2, version 2020.2.5200.12394;
• Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

In addition, systems which have, at any time, run one of the compromised SolarWinds versions listed above should also be isolated from the Internet immediately and investigated for signs of compromise.

It is recommended that organizations continue monitoring SolarWinds Orion system(s) or systems to which they had access, for anomalous activity. Examples of anomalous activity include, but are not limited to, the below MITRE ATT&CK® framework techniques that the threat actor has engaged in as reported by CISA Alert (AA20-352A).[3]

• Query Registry [T1012]
• Obfuscated Files or Information [T1027]
• Obfuscated Files or Information: Steganography [T1027.003]
• Process Discovery [T1057]
• Indicator Removal on Host: File Deletion [T1070.004]
• Application Layer Protocol: Web Protocols [T1071.001]
• Application Layer Protocol: DNS [T1071.004]
• File and Directory Discovery [T1083]
• Ingress Tool Transfer [T1105]
• Data Encoding: Standard Encoding [T1132.001]
• Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
• Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
• Software Discovery [T1518]
• Software Discovery: Security Software [T1518.001]
• Create or Modify System Process: Windows Service [T1543.003]
• Subvert Trust Controls: Code Signing [T1553.002]
• Dynamic Resolution: Domain Generation Algorithms [T1568.002]
• System Services: Service Execution [T1569.002]
• Compromise Infrastructure [T1584]

In addition, Microsoft has reported attempts by actors to gain long-term persistence using compromised accounts, or by forging Security Assertion Markup Language (SAML) tokens. Microsoft has reported four main takeaways of which these three outline post-compromise activities resulting from SAML abuse. [4]

• Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
• Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
• Using the global administrator account and/or the trusted certificate to impersonate highly privileged accounts, the actor may add their own credentials to existing applications or service principals, enabling them to call APIs with the permission assigned to that application.

MITIGATION

The Cyber Centre recommends the following graduated compromise scenarios for operators to determine potential response options. The mitigation responses are divided into four scenarios based the determination of impact:

• Verify if the identified compromised SolarWinds Orion system has the following:
  • A malicious variant of the file: “solarwinds.orion.core.businesslayer.dll” (hash values available from https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv), otherwise known as the SUNBURST backdoor is present; and
  • the capability to resolve Internet reachable addresses from the host is possible.

Based on the presence of this file, one the following four mitigation solutions are recommended:

Scenario 1 - If the system did not have the affected version which contained the SUNBURST backdoor, perform the following mitigations:

• Patch to the latest recommended version by vendor
• Follow recommended industry best practices for hardening of enterprise systems
• Re-introduce system to enterprise environment after performing a thorough risk evaluation

Scenario 2 - If the system has the SUNBURST backdoor but did not have the ability to connect to the Internet, then malicious SUNBURST code was unable to reach malicious hosts, perform the following mitigations:

• Continue isolation of system and rebuild SolarWinds Orion using the latest recommended versions by vendor
• Follow recommended industry best practices for hardening of enterprise systems
• Re-introduce system to enterprise environment after performing a thorough risk evaluation

Scenario 3 - If the SUNBURST backdoor is found and/or following review of network activity, the system is found to have resolved a subdomain of avsvmcloud[.]com, perform the following mitigations:

• Begin incident response procedures for system compromise;
• Follow detailed remediation support guidance in references below [2] [3] [5]

Scenario 4 - If the SUNBURST backdoor is found and following a review of network activity, the system is found to have resolved a subdomain of avsvmcloud[.]com as well as additional hosts and IP addresses associated with SUNBURST indicators of compromise provided below, perform the following mitigations:

• Assume any systems and credentials associated with the Orion platform as potentially compromised;
• Implement incident response options within the affected network(s) using the MITRE ATT&CK® framework above to identify anomalous activity;
• Follow detailed remediation support guidance in references below [2] [3] [5]

INDICATORS OF COMPROMISE

Several partners and industry leaders for this incident are providing repositories for information related to this activity. The Cyber Centre recommends that organizations continue to review these sources for updates and recommendations to best defend their networks, host-based systems, and potential response options to compromise.

FireEye SUNBURST
https://github.com/fireeye/sunburst_countermeasures

Solorigate Resource Center
https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/

Dark Halo Leverages SolarWinds Compromise to Breach Organizations
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

SUPPLEMENTAL ANALYSIS

Additional precautions

Whether or not an active compromise is detected, the Cyber Centre recommends that administrators reset the credentials of any system which are presently used to authenticate with a SolarWinds Orion server. If the adversary has compromised administrative-level credentials, it may not be sufficient to simply mitigate individual issues, systems, servers, or specific user accounts to remove the malicious actor from the network. In such cases, based on the sophistication of the threat actor involved, organizations should consider the entire identity trust-store to be compromised. A full rebuild of the identity trust-store and environment is the safest action [3].

As technical analysis is performed and indicators of compromise are discovered, new exploit mechanisms may emerge. The Cyber Center encourages organizations to review the references enclosed with this Alert, which will most often include these important updates.

SUPERNOVA Backdoor

On 17 December Palo Alto Networks Unit 42 published a report which outlined a new method of exploitation involving a backdoor named SUPERNOVA located within a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll. Both Unit 42 and Microsoft have concluded that this webshell could not be verified as being leveraged by the same sophisticated actors as SUNBURST but may have resulted from a separate malicious actor. [6] [7]

While the Cyber Centre has not observed this activity, Microsoft indicates that the malicious code “provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device”. Methods of detection are limited due the vulnerability being an in-memory webshell, compiled on the fly and executed dynamically. Unit 42 has published a detailed analysis of the malicious code as well as potential methods of detection. [6]

On 26 December 2020 CERT/CC issued an advisory highlighting a vulnerability in SolarWinds Orion which allows an unauthenticated remote actor to execute application programming interface (API) commands. Tracked as CVE-2020-10148, this vulnerability is rectified by updates addressing the SUPERNOVA malware. [8] [1]

The Cyber Centre would also like to highlight that numerous SolarWinds Orion platform versions, while not affected by SUNBURST, are affected by SUPERNOVA. SolarWinds has compiled a list of Orion versions affected by SUNBURST and SUPERNOVA in its advisory. [1]

REFERENCES

[1] SolarWinds Security Advisory
https://www.solarwinds.com/securityadvisory

[2] Highly Evasive Attacker Leverages SolarWinds Supply Chain
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[3] CISA Alert (AA20-352A)
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

[4] Customer Guidance on Recent Nation-State Cyber Attacks
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

[5] Solorigate Resource Center
https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/

[6] SUPERNOVA: A Novel .NET Webshell
https://unit42.paloaltonetworks.com/solarstorm-supernova/

[7] Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

[8] CERT/CC Vulnerability Note VU#843464
https://kb.cert.org/vuls/id/843464

Should organizations identify activity like that described in this Alert, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).

NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses, and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.