Twenty-three SUNBURST Targets Identified

Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims
in FireEye’s SUNBURST IOC list were
***net.***.com and central.***.gov on Kaspersky’s Securelist blog in December?
Reuters later reported that these victims were Cox Communications and Pima County.

We can now reveal that the internal AD domain of all SUNBURST deployments in FireEye’s IOC list
can be extracted from publicly available DNS logs
published by twitter user VriesHd, a.k.a. “Kira 2.0”,
with help of our
SunburstDomainDecoder tool.
The data published by VriesHd is the most complete SUNBURST DNS collection we’ve seen, with over 35.000 avsvmcloud.com subdomains!
Here is FireEye’s IOC table completed with our findings:

Victims Targeted with SUNBURST Stage 2 Backdoor

It was not just the victims listed in FireEye’s IOC that were specifically targeted by the SUNBURST operators.
As explained in our Finding Targeted SUNBURST Victims with pDNS blog post,
the “STAGE2” flag in SUNBURST’s DNS beacons can be used to reveal additional SUNBURST victims that were singled out as interesting targets by the threat actors.

We’d like to stress that the majority of all companies and organizations
that have installed a backdoored SolarWinds Orion update
were never targeted by the threat actors.
This means the these SUNBURST backdoors never made it past what we call “Stage 1 operation”,
where the backdoor encodes the internal AD domain name and installed security products
into DNS requests.
SUNBURST backdoors in Stage 1 operation cannot accept any commands from the C2 server without first progressing into Stage 2 operation.
We estimate that about 99.5% of the installed SUNBURST backdoors never progressed into Stage 2 operation.

Here is the full list of internal AD domain names for SUNBURST deployments in
Stage 2 operation that can be extracted from the DNS queries published by VriesHd:

• central.pima.gov
• cisco.com
• corp.qualys.com
• coxnet.cox.com
• ddsn.gov
• fc.gov
• fox.local
• ggsg-us.cisco.com
• HQ.FIDELIS
• jpso.gov
• lagnr.chevrontexaco.net
• logitech.local
• los.local
• mgt.srb.europa*
• ng.ds.army.mil
• nsanet.local
• paloaltonetworks*
• phpds.org
• scc.state.va.us
• suk.sas.com
• vgn.viasatgsd.com
• wctc.msft
• WincoreWindows.local

Our SUNBURST STAGE2 Victim Table
has now been updated with additional details about the STAGE2 signaling from these SUNBURST implants,
including timestamps, avsvmcloud.com subdomains and GUID values.

Initial Microsoft Targeting FAIL

The last two entries in the AD domain list above are interesting,
since they both hint that the targeted entity might be Microsoft.

The data that gets exfiltrated in DNS beacons during SUNBURST’s initial stage
is the internal domain the SolarWinds Orion PC is connected to and a list of
installed security products on that PC.
These domain names and security products was the data available to the attackers
when they decided which ones they wanted to proceed to Stage 2 with
and thereby activate the HTTPS backdoor built into SUNBURST.

The threat actors were probably surprised when they realized that “WincoreWindows.local” was in fact a company in West Virginia that manufactures high quality windows and doors.

Nevertheless, the threat actors eventually found another backdoored SolarWinds Orion machine connected to a domain called “wctc.msft”,
which might very well be Microsoft. After all, Microsoft have publicly stated that they
were breached by SUNBURST/Solorigate (thanks for being transparent!).
Below is a table outlining relevant events for these two SUNBURST deployments that can be extracted from VriesHd’s SB2 spreadsheet with SunburstDomainDecoder.

Victim Notification

We spent the previous week reaching out to targeted companies and organizations,
either directly or through CERT organizations.
From what we understand many of these organizations were already aware that they
had been targeted victims of SUNBURST, even though they might not have gone public about the breach.

The Ethical Dilemma

We have no intentions to shame the victims who have installed a backdoored
SolarWinds Orion update, regardless if they were targeted by the threat actor or not.
In fact, the supply chain security problem is an extremely difficult one to tackle,
even for companies and organizations with very high security standards.
This could have happened to anyone!

However, since multiple passive DNS logs and SUNBURST victim lists have been circulating through
publicly available channels for over a month, we felt that it was now acceptable
to publicly write about the analysis we’ve been doing based on all this data.
We’d also like to thank everyone who has helped collect and share passive DNS data,
including
John Bambenek,
Joe Słowik,
Rohit Bansal,
Dancho Danchev ,
Paul Vixie and
VriesHd.
This open data has been crucial in order to develop and verify our
SunburstDomainDecoder tool,
which has been leveraged by numerous incident response teams
to perform forensic analysis of DNS traffic from their SolarWinds Orion deployments.

More Credits

We’d like to thank CERT-SE and all other computer emergency response organizations
that have helped us with the task of notifying victim organizations that were identified as targeted.
We would also like to applaud companies and organizations like
FireEye,
Palo Alto Networks,
Microsoft and
the U.S. Department of Energy
for being transparent and publicly announcing that the SUNBURST backdoor had been used in an attempt to compromise their networks.

 Share on Facebook   Tweet   Submit to reddit.com

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2021-01&post=Twenty-three-SUNBURST-Targets-Identified