Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye) - Security Boulevard

Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye)

Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye)

First, let me be clear that I have no insider knowledge. This is my best guess at what occurred, based on publicly available information here (FireEye) and others indicated in references section below.

FireEye discovered the supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware they call SUNBURST. This report is a must read to understand details associated to this incident.

https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/

Locations of DLL

https://gist.github.com/KyleHanslovan/0c8a491104cc55d6e4bd9bff7214a99e
https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/orion_platform_administrator_guide.htm
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

IOC — (Indicator of Compromise) to hunt in DNS logs + full PCAP

  • DGA generated C2 Domain : avsvmcloud[.]com
    Understanding Domain Generation Algorithms (DGA)
  • C2 domain for malware to connect to, retrieved via CNAME from DGA-generated C2
    freescanonline[.]com
    deftsecurity[.]com
    thedoccloud[.]com
    websitetheme[.]com
    highdatabase[.]com
    incomeupdate[.]com
    databasegalore[.]com
    panhardware[.]com
    Zupertech[.]com
    Virtualdataserver[.]com
    digitalcollege[.]org
  • Malicious DLL (SolarWinds.Orion.Core.BusinessLayer.dll) beacons out to C2 infra (as indicated below) to get additional payloads and commands (backdoor)
https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

FireEye notes that if the malware resolves the domain to a private IP address, it will not execute.

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Command data is spread across multiple strings that are disguised as GUID and HEX strings.

References


Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye) was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.


*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/visual-notes-solarwinds-supply-chain-compromise-using-sunburst-backdoor-detected-by-fireeye-561e097fff3c?source=rss----86a4f941c7da---4