Updated 18Dec: SUNBURST TTPs
Updated 16Dec: This post includes new observations from IronNet’s SOC and threat researchers in the section below titled “What have IronNet hunters seen?”
Editor’s note: In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.
If you haven’t yet caught wind of the presumed Russian attacks on the reputable and respected security firm FireEye, the U.S. government, and the IT software group SolarWinds, now is the time to take notice.
What could a security firm, the U.S. Commerce and Treasury Departments, and an IT software company possibly have in common? The answer most likely is this: a backdoor inadvertently left open, in this case via an IT monitoring platform update. The recent and unfolding news is a sobering reminder of the relentlessness of nation-state cyber attack campaigns. Throw in the added widespread vulnerabilities created by supply chain backdoors, and the risk exposure suddenly escalates from a singular corporate incident to a global attack with potentially unsettling consequences.
The shift is this: adversaries are moving from tightly secured enterprises to weaker points of entry along the supply chain. In fact, Accenture Security reports that “Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches.”
What do we know so far?
Here is our understanding of the situation:
- The FireEye, SolarWinds and government agency hacks appear to be connected.
- According to The Washington Post, the attack began with the IT vendor SolarWinds. SolarWinds CEO Kevin Thompson said that SolarWinds had been compromised via software updates that it sent to users of its Orion IT monitoring platform between March and June. (SolarWinds’ government customers include the Department of Justice; the Census Bureau; several national laboratories; and state, local, and foreign customers such as the European Parliament and Britain’s National Health Service.)
- Late Sunday evening, FireEye confirmed that the recent cyber attacks all stemmed from the compromised SolarWinds Orion software update.
- Nation-state hackers also broke into multiple federal agencies — including the U.S. Departments of Treasury and Commerce — in a campaign that appears to be linked to the recently disclosed hack of security firm FireEye. Hackers broke into the National Telecommunications and Information Administration’s (NTIA) office software, Microsoft Office 365. Staff emails at the agency had been monitored by the hackers for months prior to the attack.
- The Office of the Director of National Intelligence and U.S. Cyber Command are involved in the investigation.
While the threat actor used several sophisticated techniques to hide command and control traffic, such as mimicking Solarwinds Orion traffic and leveraging cloud providers to masquerade as trusted geolocated environments, the DNS tunneling techniques used are able to be detected with behavioral analytics and network detection and response technology.
This attacker applied advanced techniques often attributed to nation-state threat actors:
- The compromise of the SolarWinds Orion update mechanism that was used to place implants greatly expanded the attacker’s target landscape. A seemingly legitimate software update allowed them to leverage the supply chain to distribute a backdoor software update component called a dynamic link library, or dll.
- Once inside, the threat actor leveraged multiple techniques to move laterally through computing networks undetected by using sophisticated evasion capabilities, credential reuse, multi-factor authentication bypass, and other advanced “living off the land” techniques. CISA reports it is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.
What is IronNet doing?
For IronNet customers, we immediately reviewed all customer environments for indicators related to this attack. IronNet’s CyOC is taking the following actions:
- Deploying Open Source IDS rules formatted as Suricata Rules to our sensors:
- Executing manual Threat Defined Queries in each of our monitored customer environments (and our own
networks) to ensure none of the known SUNBURST Indicators of Compromise (IoC) have been
- Deploying Threat Intelligence Rules (TIR) for SUNBURST IoCs.
- Deploying Suricata Rules to IronSensors for countermeasures released by FireEye. (FireEye-
- Deploying Yara Signatures in our ReversingLabs malware store to identify any permutations of the
already identified malicious update file or the packaged DLL. Nothing has been identified yet.
- Evaluating artifacts associated for network related behaviors to include:
What have IronNet hunters seen?
As of 16Dec:
- We have observed DGA/DNS Tunneling behavior as described by FireEye and discussed in the infosec community, at multiple customer sites.
- Decode observed sub-domains identified both internal domains and what appears to be character strings that did not decode properly.
- At this time we have not observed any domain responses from the initial C2.
- Paired observed IP response with FireEye-published identification of kill codes, and evaluated timelines. Based on current visibility we have observed some traffic persisting after kill command and our current assumption is that that is an additional infected host in the environment.
FireEye identified an aspect of SUNBURST C2 as Domain Generation Algorithm for the subdomains of avsvmcloud[.]com, and although mostly a matter of semantics, IronNet has been referring to that behavior as DNS tunneling due to the nature of the use of the DNS query response protocol to pass C2 commands including detasking the implant.
Additionally, according to what has been published by various members of the community, the subdomain label can be decoded and appears to directly correspond with the internal domain of the implant.
IronNet has a behavioral-based detection for DNS tunneling and during the process of our incident response we did identify this behavior within our IronDome environment during the March to August timeframe.
APT29, aka “Cozy Bear,” assumed actor
The Russian advanced persistent threat (APT) group known as APT 29, or Cozy Bear, is the assumed instigator of this attack. You can read about its typical techniques here.
In July 2020, cybersecurity agencies from the U.K., Canada, and the U.S. jointly attributed a campaign targeting pharmaceutical companies and academic institutions involved in COVID-19 vaccine development to APT29.
Why are APT attacks so difficult to detect? Techniques by adversaries such as Cozy Bear are challenging to detect with traditional cybersecurity tools. These tactics, techniques, and procedures (TTPs) are at the apex of what security researcher David J. Bianco calls the threat hunting framework Pyramid of Pain. But when you can detect and respond at this level, you are operating directly on adversary behaviors, not just against their tools. So from a pure effectiveness standpoint, this level is your ideal. If you are able to respond to an adversary’s TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors. That’s not an easy task for even the most egregious of bad actors.
How do you detect threats that have infiltrated your network?
Network Behavior and Response systems built on behavioral analytics can “see” these TTPs on the network. The NY Times reports that in the FireEye attack, for instance, “the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.” This onslaught of new domain creation is something that behavioral analytics can detect during this crucial network dwell time.
Stopping hackers in their tracks at the reconnaissance phase of intrusion (or as “left of boom” as possible in the MITRE ATT&CK Framework, for example) is critical. Once an adversary moves along the intrusion path, being able to map detected observables to threat techniques is also essential for better determining the best and fastest course of remediation.
These are the threats by adversaries who have managed to slip past your firewall and/or taken advantage of an insecure endpoint to get inside your network. Once inside, adversaries often lurk there to determine the best way to steal money or data, including personally identifiable information (PII) or intellectual property. They may then move laterally across networks from their entry point to find the systems or data they are targeting. The earlier the detection by assessing Indicators of Behavior (instead of just known IoCs), the lesser the risk
Organizations need to implement a security-in-depth strategy with detection capabilities geared towards detecting behavioral TTPs from the MITRE ATT&CK framework.
The role of behavioral analytics
There are techniques for detecting nation-state activity earlier using behavioral analytics and an Expert System, which can anticipate the actions of nation-state threat actors. In the case of the SolarWinds attack, IronNet analysts learned about indicators that IronNet analytics and its Expert System are designed to detect, including:
- Post compromise activity included lateral movement and data theft. Our analytics and sensors are designed and positioned to detect movement within the network, especially when large amounts of data are exfiltrated.
- SolarWinds’ Orion software framework contains a backdoor that communicates via HTTP to third party servers. IronNet’s analytics specifically focus on HTTP for domain analysis, periodic and consistent beaconing, and extreme rates.
- Multiple trojanzied updates were digitally signed from March through May 2020 and posted to the SolarWinds updates website. IronNet analytics examine certificates to detect unusual activity.
- IronDome’s threat sharing platform would have communicated correlated actionable activity between the private sector and government agencies.
Actions and recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert indicating that SolarWinds Orion Platform software is being actively exploited by malicious actors, and the Department of Homeland
Security (DHS) has issued an emergency directive instructing U.S. federal agencies to immediately disconnect all SolarWinds Orion products.
Security researchers at FireEye have published technical details indicating that a software supply chain compromise occurred earlier in 2020 and resulted in a trojanized version of SolarWinds Orion being distributed to customers, which they have dubbed SUNBURST.
SolarWinds has additionally published a security advisory recommending customers upgrade to the latest version of Orion Platform and indicating that the company plans to release an additional hotfix later this week.
In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.
*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by IronNet. Read the original post at: https://www.ironnet.com/blog/analysis-solarwinds-supply-chain-attack