Hunting for SolarWinds Orion Compromises
This post was last updated on April 6th, 2021 at 12:18 pm
VIEW THE ON-DEMAND WEBINAR ON THIS TOPIC:
The recently discovered SolarWinds Orion compromise is looking like it might be the most extensive hack in history. Every organization using SolarWinds Orion versions 1029.4 through 2020.2.1 (per the Homeland Security advisory linked here) for server monitoring is advised to assume that their servers and networks are compromised by the actors responsible. Initial estimates are that 18,000+ entities including most Fortune 500 companies and many sensitive government entities are users of the software. As the situation continues to evolve, Infocyte is working to help those that need it in any way we can.
Infocyte spent December 14 proactively hunting and notifying our customers who may be affected by the malware. As a result of this effort, we have tested and published an official Infocyte extension which scans servers for all reported Sunburst host-based indicators of compromise related to this compromise or vulnerability. Users and partners are advised to run this on your servers in addition to our standard memory scans that will pick up the secondary payloads (like Cobalt Strike) which are injected by the SolarWinds embedded malware.
When it comes to unprecedented incidents of this magnitude, Infocyte has the benefit of technology that truly delivers on swift endpoint detection and response as well as incident response. With Infocyte, organizations can:
- Deploy in minutes with our agentless option
- Find any potential vulnerabilities quickly, and with precision
- Hunt and detect potential exploits or compromises from such vulnerabilities based on historical forensic analysis
- Respond immediately across your entire network via our cloud console
- You have the option to have our certified experts or partners provide third party validation that the assessment is successful and compromises are remediated
As a summary to the technical reporting provided by FireEye, CISA, and others, understand that this malware is a set of multiple tools.
SUNBURST is basically the initial access trojan found embedded within the signed Orion code base and was officially distributed via the official patch process. This module waits up to two weeks following the patch, conducts initial local recon of any defenses that could find the malware, then reaches up to command and control for additional instructions or to load other malware payloads.
Secondary payloads have been seen by FireEye to launch existing malware like Cobalt Strike Beacons into memory which are then used to propagate through the network. Secondary payloads like Cobalt Strike are used because they are more feature rich but could be more easily caught without the initial trojan’s recon and path clearing.
IMPORTANT: Just because you have Solarwinds Orion does not mean the threat actors did anything with that access during the exposure time. Finding additional indicators of compromise, secondary payloads, golden ticket creation and evidence of lateral movement will confirm the severity of your compromise (if any).
For instance, FireEye also released information on SUPERNOVA which is a custom .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. Unlike the SUNBURST trojan which does outbound connections, this secondary payload allows inbound backdoor access to SolarWinds management interfaces/servers.
If you are unsure which machines have the SolarWinds Orion Application installed on, you can use Infocyte to view all applications that were found in the last 90 days under the Analyze tab.
- CISA and FireEye have recommended blocking all traffic to and from hosts that have SolarWinds Orion installed and monitor your network traffic for anomalies.
- [UPDATE 12/15] CISA recommends organizations “Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1. Analyze for new user or service accounts, privileged or otherwise.” A quick version of these actions can be performed via the Infocyte platform.
- Use Infocyte to scan your entire server environment for secondary memory-only remote access tools (RATs) like Cobalt Strike.
- Check Orion management servers for .net web shells (SUPERNOVA)
- Ensure you are conducting host-based behavior monitoring via enabling real-time monitoring in Infocyte. Look for powershell activity and one-to-many administrative connections coming from Orion servers or servers in their local subnet.
Remember, having Orion isn’t confirmation that your data and network were totally lost. It means the actors had opportunity but with tens of thousands of targets, it’s likely they triaged those networks for the best targets first.
No one should go through a breach alone. If there is anything we can help with, please reach out to us. Existing customers and partners have direct access to our team via the chat interface in the Infocyte app.
For non-Infocyte customers we offer a free version of our platform with our community edition here. This can be used to analyze, assess, and address potential compromises to your network.
Chris Gerritz, Co-founder, Head of Product
Chris Mills, VP of Customer and Partner Success