//Blogs - 20 December 2020

Sunburst - FireEye’s Discovery of Trojanised SolarWinds Software

Image: SUNBURST Malware


Sunburst - FireEye’s Discovery of Trojanised SolarWinds Software

Update: 21:30 AEST December 20 2020
Update: 21:30 AEST December 19 2020
Update: 10:00 AEST December 18 2020
Update: 22:30 AEST December 15 2020
Update: 15:00 AEST December 15 2020
Update:
14:00 AEST December 15 2020
Initial Publication : 09:00 AEST December 15 2020

 
 
Update (21:30 AEST 20-12-2020)
US-CERT CISA announces [14] and made available, at the time of writing, an update to their advisory [12] which "... provides new mitigation guidance and revises the indicators of compromise table..." [14].  The emergency directive from the U.S. Department of Homeland Security (DHS) has also updated their directive to include supplementary guidance.[15]
 
Update (21:30 AEST 19-12-2020)
It has been confirmed that at the moment of writing of this update, the US-CERT CISA advisory, that was public as at (10:00 AEST 18-12-2020) is now returning "Access Denied". As it was a public advisory at that time it may be possible to find a copy of this advisory, whilst it is still available, in archives[13].
 
Update (10:00 AEST 18-12-2020)
SolarWinds states that Orion was their only product affected by the breach [10].  Also recently a joint statement was released by the U.S. Government [11] that heralds actions and updates from US-CERT CISA about the events surrounding and leverage of the SolarWinds Orion breach and recommended mitigation steps [12].
 
Update (22:30 AEST 15-12-2020)
Additional IoC and TTP information from research organisations Volexity[9]
 
Update (15:00 AEST 15-12-2020)
The headline of an earlier version of this article incorrectly attributed the vulnerable software to FireEye. FireEye is a third-party research firm. We apologise for any confusions caused by our initial publication. A new subject headline is now in place to better reflect the incident. 

Update (14:00 AEST 15-12-2020)
A set of IoCs have been published by Talos[7] and the number of affected clients is expected to be "fewer than 18,000" world wide according to the SEC filing of the incident[8].
The hotfix is expected to be made available "on or prior to 15th December 2020" [8] (date and time as per U.S.A. time zone)
 
Initial (09:00 AEST 15-12-2020)
Introduction:
FireEye has discovered a supply chain attack against SolarWinds which has resulted in trojanised versions of SolarWinds Orion being distributed. These trojanised versions, being distributed through their supply chain, meant that the code was correctly signed.
 
Multiple trojanised updates were digitally signed from March to May 2020 and posted to the SolarWinds Orion updates website, including those listed here: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp [1]
 
The trojanised version of the update has remained dormant for 2 weeks and FireEye has released counter measures [2] as malicious activity can now be traced with the following released IoC. [3]
 
RECOMMENDED ACTION:
It is highly advised that the advisories from FireEye[1] and SolarWinds[6] be reviewed where actionable steps to detect and protect your network are suggested.
 
This includes the following steps:
 
1. It is highly recommended to download the latest software of SolarWinds Orion and apply the relevant version.
 
2. If you are a SolarWinds Orion client, please check the downloading of any updates between the months of March to May 2020.
 
3. If at all possible and relevant, apply detection rules released by FireEye to determine whether or not malicious activity is currently in your network.
 
4. If at all possible, check network logs for Indicators of Compromise (IoC) for any signs of activity that may have occurred in your network.
 
The US-CERT has notified members of the public about the current issue via a briefing document [4] and the media is also focusing and disseminating information on this event swiftly. [5]
 
For AusCERT's constituents using AusCERT managed MISP the list of IoCs have been published on December 14.
AusCERT is currently contacting its constituents about possible installations of SolarWinds Orion on their network perimeter(s). 
 
 
[1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
[2] Github - Fireeye - Sunburst countermeasures
[3] Github - Fireeye - Sunburst IoC
[4] US-CERT CISA Active Exploitation of SolarWinds Software
[5] Bleeping Computer - US govt, FireEye breached after SolarWinds supply-chain attack
[6] SolarWinds Security Advisory
[7] Threat Advisory: SolarWinds supply chain attack
[8] US-SEC - CURRENT REPORT - SOLARWINDS CORPORATION (001-38711)
[9] Dark Halo Leverages SolarWinds Compromise to Breach Organizations
[10] SolarWinds said no other products were compromised in recent hack
[11] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)
[12] Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
[13] Internet Archives - Wayback Machine
[14] CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise
[15] Emergency Directive 21-01