![]() ![]() Basically, the job set provides complete access and capability to the SolarWinds system platform. There are much more capabilities included as well. Once the C2 channel was set up there were a series of roughly 20 ‘jobs’ that the Sunburst malware could execute, ranging from direct commands, to write file/delete file, to task management and systems reboot. This indicates not only sophistication but a long period of prior planning for the compromise to be set up and orchestrated. Once again, a long series of innocuous-sounding well-aged domains that could be selected randomly via a custom Domain Generation Algorithm (DGA). If you were ‘lucky’ enough to be selected, the next step would be to establish a command and control (C2). This was most probably due to a lack of interest in the target system. Most platforms were not further affected. In some instances, this could be a couple of months. But more importantly, the code would wait for a random time offset to activate. ![]() This was performed in a process that would run on a regular reliable basis, the process is refreshInternal(). In the beacon would be information about the system and relevant domain information. Once the environment is determined to be right the Sunburst code would begin to beacon out to a well-aged valid domain that looks quite innocuous. Additionally, if it did not sense Internet access the code would typically not activate. It also is able to sense the environment to determine if it is in production mode or a sandbox lab environment. The malware was also quite sophisticated in that it was a multi-stage attack. This indicates quite a degree in the sophistication of the attacker, which is believed to be a set of nation-state actors. Looking at the build directory would show everything as normal. This created a very stealthy presence on the platform that could only be picked out by analyzing the running source code. There was a nifty swap of the file where the compromised code was injected into the build on bootup but would swap back to the original file in the build directory. The particular file that was modified with the Sunburst backdoor was InventoryManager.cs which is found in the Orion Improvement Business Layer. Which is a normal Windows internal process for scheduled tasks. There was a piece of code known as ‘Sunspot’ which performed the injection of the Sunburst code by utilizing taskhostsvc.exe. It is also evident that SolarWinds ‘Team City’ build servers were likely the point of compromise. While it is still not certain exactly how the compromise of the supply chain occurred, it is most likely that this was done prior to the build process. Therefore, there is no need for the attacker to establish persistence as it is already obtained if desired. Due to the nature of the attack, the malware came as a part of normal software updates or installation. This was indeed the case as its 9 months of residency in many networks proves out. In essence, it would be hard to pick out nefarious activity in all of the normal white noise. Switches, routers, servers, and it often did so again with privileged credentials. This is what is often referred to as “God mode”.Īnother aspect is that as an NMS, SolarWinds talked to everything. In essence, any attacker that compromises the network management system will have the same degree of control and reach as the platform itself. It often will do so with privileged credentials that have purposely installed for the purposes of systems monitoring or configuration change. SolarWinds can talk to almost anything, out of the box. First its purpose is for network and systems management. SolarWinds was the ideal target for several reasons. The world has changed around us, and we need to realize the change in the level of the playing field that has resulted. The industry needs a new way of thinking to have any hope of protecting against this or really an understanding as to how weak or vulnerable the supply chain is. If you create and build code, then you need to realize that the same could occur to you. ![]() What you will see is that this is the most serious supply chain compromise in the history of the industry and that we should look at it as a harbinger of what is to come. Unless you have been living under a rock you have heard about this but may not have a good scope on what the attack was and how it operated. I am referring to Sunburst, which is a compromise of the SolarWinds network and systems management platform. But I am referring to something different. Many would think of the COVID virus and that certainly is true. Early in the year, 2020 life changed for a lot of us. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |