Hunting for SolarWinds Orion Compromises

by Virginia Satrom on December 14, 2020

The recently discovered SolarWinds Orion compromise is looking like it might be the most extensive hack in history. Every organization using Solarwinds Orion versions 1029.4 through 2020.2.1 (per the Homeland Security advisory linked here) for server monitoring is advised to assume that their servers and networks are compromised by the actors responsible. Initial estimates are that 18,000+ entities including most fortune 500 companies and many sensitive government entities are users of the software.

Infocyte spent the morning proactively hunting and notifying our customers who may be affected by the malware. As a result of this effort, we have tested and published an official Infocyte extension which scans servers for all reported host-based indicators of compromise related to this compromise.

Users and partners are advised to run this on your servers in addition to our standard memory scans which will pick up the secondary payloads (like Cobalt Strike) which are injected by the Solarwinds embedded malware.

Infocyte SUNBURST Extension: https://github.com/Infocyte/extensions/blob/master/official/collection/sunburst.lua

SUNBURST

As a summary to the technical reporting provided by FireEye, CISA, and others, understand that this malware is a set of multiple tools.

Sponsorships Available

SUNBURST is basically the initial access trojan found embedded within the signed Orion code base and was officially distributed via the official patch process. This module waits up to two weeks following the patch, conducts initial local recon of any defenses that could find the malware, then reaches up to command and control for additional instructions or to load other malware payloads.

Secondary payloads have been seen by FireEye to launch existing malware like Cobalt Strike Beacons into memory which are then used to propagate through the network. Secondary payloads like Cobalt Strike are used because they are more feature rich but could be more easily caught without the initial trojan’s recon and path clearing.

IMPORTANT: Just because you have Solarwinds Orion does not mean the threat actors did anything with that access during the exposure time. Finding additional indicators of compromise, secondary payloads, golden ticket creation and evidence of lateral movement will confirm the severity of your compromise.

For instance, FireEye also released information on SUPERNOVA which is a custom .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. Unlike the SUNBURST trojan which does outbound connections, this secondary payload allows inbound backdoor access to Solarwinds management interfaces/servers.

OTHER RECOMMENDATIONS

If you are unsure which machines have the Solarwinds Orion Application installed on, you can use Infocyte to view all applications that were found in the last 90 days under the analyze tab.

CISA and FireEye have recommended blocking all traffic to and from hosts that have SolarWinds Orion installed and monitor your network traffic for anomalies.
Use Infocyte to scan your entire server environment for secondary memory-only remote access tools (RATs) like Cobalt Strike.
Check Orion management servers for .net web shells (SUPERNOVA)
Ensure you are conducting host-based behavior monitoring via enabling real-time monitoring in Infocyte. Look for powershell activity and one-to-many administrative connections coming from Orion servers or servers in their local subnet.

Remember, having Orion isn’t confirmation that your data and network were totally lost. It means the actors had opportunity but with tens of thousands of targets, it’s likely they triaged those networks for the best targets first.

No one should go through a breach alone. If there is anything we can help with, please reach out to us. Existing customers and partners have direct access to our team via the chat interface in the Infocyte app.

Good hunting!

Chris Gerritz, Co-founder, Head of Product
Chris Mills, VP of Customer and Partner Success

The post Hunting for SolarWinds Orion Compromises appeared first on Infocyte.