SolarWinds Attack Plan A: The Imposter

The on-going investigation of SUNBURST/Solorigate supply-chain attack led by FireEye and Microsoft threat teams have reached to the second stage of the attack SUNSHUTTLE [3] [4]. More backdoors and C2 servers been discovered each time disclosing a stage of this wide and massive attack. Estimating the attacker distributed the SUNBURST during March 2020 [5] from Solarwinds update servers and managed persistent for a long time.

There’s not any report or indicator of the discovered C2 domains prior December 13, 2020 from all high-value targets and their DNS security in place.

C2 DomainNames: vsvmcloud[.]com, onetechcompany[.]com, reyweb[.]com, srfnetwork[.]org

In this post, shed the light over a fact that the threat actor is too smart and sophisticated to burn an entry over couple C2 domains which can be detected/blocked by a DNS security solution once threat actor decided to take it to the next level. The C2 might be used as plan B or just playing charades with the analyst and IR team. The reason for that is to hide the key player in this attack to keep the persistent going even after taking down the C2 domain during threat hunting.

In Orion documentation [6] there’re couple of pre-request requirements, but it doesn’t include Orion use for the Netbios port 137 as stated in the SolarWinds Success Center [7].Checking bidirectional connection on firewalls between local Orion server on port 137 and other outbound connection for certain period of time during the 2020 shows that thousands of connections with other thousands of other clients Orion servers in the region [the number depends on the region]. Some clients might not have this port disabled during configuration or by default. It’s unclear to what exact process and there’s no documentation for that or what’s been transferred from port 137! it could be shared updates due to the Orion packages size. But overall it’s an open port with other server in the region. Threat actor could have leveraged this attack vector by using Netbios to maintain persistent rather than using any C2 domains. In theory, there is high probability that the threat actor is having at least one server with Orion installed in each region which I like to call it The Imposter “just like the one in Among Us App”. This imposter server can maintain connection without drawing attention. In case any Orion server went off the pool there is a dedicated C2 domain to it. To backup this theory of Orion regional connection and threat actor presence among the Orion pool:

[A] There’s DGA server determination by east and west in EU and US region like the one discovered in FireEye [1] not just to classify C2 domains but also that’s how SolarWinds maintain connection

[B] Between March and December 2020, there’s no report of any of the discovered C2 domains and still there might be big data breach, however no incident or evidence show there’s data uploaded using any C2 yet!

[C] Explain how the second stage backdoor happen since there’re no ties discovered earlier related to the first stage

[D] Lateral movement incident from Orion local server and other non-agent in the local network and no sign of C2 server on the other side even with first stage backdoor present.

[E] SolarWinds were facing some challenges when it comes upgrade client server and on the latest release during the time of the attack in 2020. This webinar explain some of the feature including upgrade features [8]

This post is showing another vector of this massive attack and clearly there is more to investigate, but what it could do is to help narrow down the suspect list among legitimate Orion servers. In addition, this theory answers the question second stage of SUNSHUTTLE [3] and [4] where there’s no persistence.

Refrences

[1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, FireEye ,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[2] Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers, Microsoft MSTIC , https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

[3] New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452, FireEye, https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

[4] GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence, Microsoft MSTIC, https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

[5] Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop, Microsoft MSTIC, https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

[6] SolarWinds Orion Platform requirements, Solarwinds, https://documentation.solarwinds.com/en/success_center/orionplatform/Content/core-orion-requirements-sw1916.htm#Server

[7] Disable Netbios UDP 137 traffic, SolarWinds Success Center, https://support.solarwinds.com/SuccessCenter/s/article/Disable-Netbios-UDP-137-traffic?language=en_US

[8] 2020.2 Releases: Orion Map Updates, New Security Product Features, and More – SolarWinds Lab #89, SolarWinds Youtube channel, https://www.youtube.com/watch?v=bA87jwFrrYg

One thought on “SolarWinds Attack Plan A: The Imposter

Comments are closed.