The Latest Fortinet News
Product and Solution Information, Press Releases, Announcements
|What We Have Learned So Far about the Sunburst/SolarWinds Hack|
|Posted: Mon Dec 21, 2020 02:41:14 PM|
By Udi Yavo
Recently, it was reported that a nation-state threat-actor managed to infiltrate a large number of organizationsincluding multiple US government agencies. They did this by distributing backdoor software, dubbed SunBurst, by compromising SolarWinds Orion IT monitoring and management software update system. Based on SolarWinds data, 33,000 organizations use Orions software, and 18,000 were directly impacted by this malicious update. As more and more details have become available, it has become clear that this is one of the most evasive and significant cyberattacks to date.
Over the past week, the FortiGuard Labs research teams have worked tirelessly to uncover more details on the attack to ensure our customers are protected, details of which can be found in our Threat Signal Blog. In this blog, we share more detail on what we have learned, the protections currently provided by products in our portfolio, as well as the proactive steps we have taken leveraging our FortiEDR platform to ensure the security of our customers.
SunBurst Campaign Overview
To help readers better understand this campaign, I will describe at a high-level the steps taken by the SunBurst malware and the threat actor after the initial infiltration.
After a successful infiltration of the supply-chain, the SunBurst backdoor a file named SolarWinds.Orion.Core.BusinessLayer.dllwas inserted into the software distribution system and installed as part of an update package from the vendor. Once downloaded, it then lies dormant for 12 to 14 days before taking any action. Once the waiting period is over, the Backdoor takes steps to ensure it is running in one of the environments targeted by the attacker, as opposed to a lower value organization, or in a sandbox or other malware analysis environment. The attacker appears to have wanted to stay as far below the industrys radar as possible while carrying out its specific mission.
Here is a high-level overview of the steps it takes to do so:
Once all of the validations are completed, it calls home to the threat actor and sends information to identify the breached organization. Note: Since most of the organizations breached by this malware were NOT a target of the threat actor, this is where the attack appears to have ended for many organizations.
The C2 domain name is composed from a prefix that is generated based on data from the machine. An example domain can be seen in Figure 1:
Figure 1: Example of SunBurst-generated domain
As a next step, the threat actor leverages a memory-only payload called TEARDROP to deliver a CobaltStrike BEACON, among other payloads. CobaltStrike is a commercially available, full-featured penetration testing toolkit that advertises itself as "adversary simulation software. However, it is also commonly used by attackers. To date, FortiEDR has actively detected and blocked many attacks leveraging CobaltStrike in real-time, including this one.
Proactive SunBurst Campaign Mitigations
As soon as the IOCs were disclosed, or otherwise uncovered though investigation, the FortiGuard Labs and other teams analyzed all of the data on Sunburst and then devised a proactive strategy to mitigate the attack as well as to help organizations understand its impact.
As mentioned, most organizations were not targeted, and therefore the existence of the malicious DLL file does not necessarily mean that actual damage was done.
Steps Fortinet is Taking to Ensure the Security of our Customers:
1. All published and subsequent IOCs were immediately added to our Cloud intelligence and signatures databases to ensure detection of the malicious files by Fortinets security solutions, including FortiGate, FortiSandbox, FortiEDR, and FortiClient. As new IOCs are uncovered, they will also be immediately added to our databases.
2. In order to reconstruct the attack and gain more insights and indicators, FortiGuard Labs research and intelligence teams started to hunt for more indicators based on the initially disclosed data. As part of this effort, we have discovered and analyzed a new variant of TEARDROP. In Figure 2, you can see this TEARDROP variant read the fake jpeg header and its main unpacking routine:
Figure 2: TEARDROP under the microscope
3. We also proactively scanned our FortiEDR Cloud data lake for indicators to determine if customers may have been breached. Customers that were potentially impacted are being contacted.
4. Our MDR and FortiEDR research teams have also devised tools that can help organizations understand the scope of a breach in case they have been impacted by this supply-chain attack. These tools are being shared with customers upon request. As mentioned, most organizations were not targeted, and understanding the scope of the breach is critical for determining follow-up steps.
TEARDROP and CobaltStrike Detection
In addition to detection based on specific IOCs, analysis by our research teams has determined that the FortiEDR platform is and was capable of protecting devices against CobaltStrike and TEARDROPout-of-the-box and without any prior knowledge of the threatusing its memory code tracing technology. FortiEDR has proven countless times that it is capable of blocking CobaltStrike in real-time during live incidents. An example of such a detection can be seen in Figure 3:
Figure 3: Real-World Detection of Cobalt-Strike by FortiEDR
Summary and Recommendations
This event reemphasizes the need for best practices when it comes to maintaining software and systems. Here are three essential security best practices every organization should adopt: