The Latest Fortinet News
Product and Solution Information, Press Releases, Announcements
What We Have Learned So Far about the Sunburst/SolarWinds Hack | |
Posted: Mon Dec 21, 2020 02:41:14 PM | |
By Udi Yavo IntroductionRecently, it was reported that a nation-state threat-actor managed to infiltrate a large number of organizationsincluding multiple US government agencies. They did this by distributing backdoor software, dubbed SunBurst, by compromising SolarWinds Orion IT monitoring and management software update system. Based on SolarWinds data, 33,000 organizations use Orions software, and 18,000 were directly impacted by this malicious update. As more and more details have become available, it has become clear that this is one of the most evasive and significant cyberattacks to date. Over the past week, the FortiGuard Labs research teams have worked tirelessly to uncover more details on the attack to ensure our customers are protected, details of which can be found in our Threat Signal Blog. In this blog, we share more detail on what we have learned, the protections currently provided by products in our portfolio, as well as the proactive steps we have taken leveraging our FortiEDR platform to ensure the security of our customers. SunBurst Campaign OverviewTo help readers better understand this campaign, I will describe at a high-level the steps taken by the SunBurst malware and the threat actor after the initial infiltration. After a successful infiltration of the supply-chain, the SunBurst backdoor a file named SolarWinds.Orion.Core.BusinessLayer.dllwas inserted into the software distribution system and installed as part of an update package from the vendor. Once downloaded, it then lies dormant for 12 to 14 days before taking any action. Once the waiting period is over, the Backdoor takes steps to ensure it is running in one of the environments targeted by the attacker, as opposed to a lower value organization, or in a sandbox or other malware analysis environment. The attacker appears to have wanted to stay as far below the industrys radar as possible while carrying out its specific mission. Here is a high-level overview of the steps it takes to do so:
Once all of the validations are completed, it calls home to the threat actor and sends information to identify the breached organization. Note: Since most of the organizations breached by this malware were NOT a target of the threat actor, this is where the attack appears to have ended for many organizations. The C2 domain name is composed from a prefix that is generated based on data from the machine. An example domain can be seen in Figure 1: Figure 1: Example of SunBurst-generated domain As a next step, the threat actor leverages a memory-only payload called TEARDROP to deliver a CobaltStrike BEACON, among other payloads. CobaltStrike is a commercially available, full-featured penetration testing toolkit that advertises itself as "adversary simulation software. However, it is also commonly used by attackers. To date, FortiEDR has actively detected and blocked many attacks leveraging CobaltStrike in real-time, including this one. Proactive SunBurst Campaign MitigationsAs soon as the IOCs were disclosed, or otherwise uncovered though investigation, the FortiGuard Labs and other teams analyzed all of the data on Sunburst and then devised a proactive strategy to mitigate the attack as well as to help organizations understand its impact. As mentioned, most organizations were not targeted, and therefore the existence of the malicious DLL file does not necessarily mean that actual damage was done. Steps Fortinet is Taking to Ensure the Security of our Customers:1. All published and subsequent IOCs were immediately added to our Cloud intelligence and signatures databases to ensure detection of the malicious files by Fortinets security solutions, including FortiGate, FortiSandbox, FortiEDR, and FortiClient. As new IOCs are uncovered, they will also be immediately added to our databases. 2. In order to reconstruct the attack and gain more insights and indicators, FortiGuard Labs research and intelligence teams started to hunt for more indicators based on the initially disclosed data. As part of this effort, we have discovered and analyzed a new variant of TEARDROP. In Figure 2, you can see this TEARDROP variant read the fake jpeg header and its main unpacking routine: Figure 2: TEARDROP under the microscope 3. We also proactively scanned our FortiEDR Cloud data lake for indicators to determine if customers may have been breached. Customers that were potentially impacted are being contacted. 4. Our MDR and FortiEDR research teams have also devised tools that can help organizations understand the scope of a breach in case they have been impacted by this supply-chain attack. These tools are being shared with customers upon request. As mentioned, most organizations were not targeted, and understanding the scope of the breach is critical for determining follow-up steps. TEARDROP and CobaltStrike DetectionIn addition to detection based on specific IOCs, analysis by our research teams has determined that the FortiEDR platform is and was capable of protecting devices against CobaltStrike and TEARDROPout-of-the-box and without any prior knowledge of the threatusing its memory code tracing technology. FortiEDR has proven countless times that it is capable of blocking CobaltStrike in real-time during live incidents. An example of such a detection can be seen in Figure 3: Figure 3: Real-World Detection of Cobalt-Strike by FortiEDR Summary and Recommendations
d130bd75645c2433f88ac03e73395fba172ef676 76640508b1e7759e548771a5359eaed353bf1eec 2f1a5a7411d015d01aaee4535835400191645023 395da6d4f3c890295f7584132ea73d759bd9d094 1acf3108bf1e376c8848fbb25dc87424f2c2a39c e257236206e99f5a5c62035c9c59c57206728b28 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387 16505d0b929d80ad1680f993c02954cfd3772207 d8938528d68aabe1e31df485eb3f75c8a925b5d9 c8b7f28230ea8fbf441c64fdd3feeba88607069e 2841391dfbffa02341333dd34f5298071730366a 2546b0e82aecfe987c318c7ad1d00f9fa11cd305 e2152737bed988c0939c900037890d1244d9a30e
c:\Windows\SysWOW64\netsetupsvc.dll file.
Best PracticesThis event reemphasizes the need for best practices when it comes to maintaining software and systems. Here are three essential security best practices every organization should adopt:
|