In December 2020, FireEye announced the discovery of a highly sophisticated cyber intrusion that affected multiple departments of the US government, including theTreasury Department and the Commerce Department. The actors behind the advanced persistent threat infiltrated the supply chain of SolarWinds, inserting a backdoor into the company’s Orion product. Attackers were then able to get customers to download the Trojan horse installation packages from SolarWinds, which enabled the attackers to access the systems running the Orion platforms. Approximately 18,000 of SolarWind’s 300,000 customers were running vulnerable versions of the Orion platform.
After modifying an Orion platform plug-in called SolarWinds.Orion.Core.BusinessLayer.dll, the attackers managed to distribute the security vulnerability as part of Orion platform updates. The trojanized component, known as SUNBURST, is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.
Apart from the originally discovered SUNBURST backdoor, four other distinct pieces of malware were also discovered as elements of the attack chain.
The attackers were also able to lay low by utilizing the backdoor that used multiple complicated blocklists to identify forensic and antivirus tools running as processes, services, and drivers, giving them the perfect cover.
After the discovery of the attack, SolarWinds assured customers that the software builds known to be affected by the SUNBURST vulnerability were removed from their download sites. Customers were also advised to upgrade to the latest version with security patches to protect against SUNBURST.
Once attackers intrude the network through Orion platform, there are numerous ways to exploit the network. Below are some of the common lateral movement and C2 actions performed during this attack and how ManageEngine Log360, our SIEM solution can help you contain these malicious activities.
Suspicious traffic: Log360 monitors firewall traffic logs in real time and detect compromised hosts by looking for traffic with specific strings in URLs.
Malware threats: Log360 detects malware threats. In the case of SUNBURST, this was the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. By detecting the the loaded DLL immediately, IT administrators can then mitigate the threat quickly.
Malicious processes: Log360 inspects suspicious processes in your network systems for SolarWinds Orion software using Sysmon log analysis and helps stop them.
In this case, once the update is installed from the trojanized update file, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration).
Configure Log360 to detect these processes and associate workflows with the alert profile to automatically stop these processes if they are run by attackers.
Want to learn more on how to perform this on Log360? Contact our product experts.
Malicious DNS requests: Our solution inspects DNS events using Sysmon, detects malicious DNS requests and alerts the IT administrators immediately. In this case, after a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. With Log360, you can configure an alert profile to detect this instance.
C2 communication: Detects the event named piped (a peer-to-peer communication between pipe server and one or more pipe clients) created using Sysmon. This is a server-side function for instantiating a named pipe.
Log360 helps detecting Event ID 17 or 18 which refers to pipe being created under the file name "583da945-62af-10e8-4902-a8f205c72b2e".
Network traffic monitoring: Inspects the process' network connection to the reported IPs. This enables organizations to detect malicious traffic and block them from the network immediately.
Advanced threat analytics: Monitors network traffic to detect and block malicious IPs, domains and URLs through the threat intelligence module.
Lateral movement detection: Detects lateral movement related activities such as credential stealing and command and control communication. This would help organizations put a stop to the attackers looking to move through a network in search of data or assets to exfiltrate and also block their remote access capabilities.
Endpoint protection: Provides endpoint protection to all devices in the network.
Vulnerability scanning: Monitors your network regularly for vulnerabilities and immediately alerts the IT administrators of potential security threats.
You will receive weekly cybersecurity news soon!
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.