In an unprecedented supply chain compromise, the Russian hacking group known as APT 29, or ‘Cozy Bear’ has injected a backdoor into the source code of the SolarWinds Orion product line. This is a serious, far-reaching incident with few parallels in modern cyber history. This may be the largest cyber attack on the US government in history. It is extremely concerning for the following reasons:
- Widespread Compromise: Using a ‘watering-hole’ attack method, the threat actor was able to use SolarWind’s update procedures to spread the malicious code across its massive customer base. According to FireEye, “the victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” The malicious updates have been deployed to an estimated 18,000 organizations.
- Bypasses Code-Signing integrity checks: We’ve seen past examples of virus spreading via updates. But they usually involved altering the software or DNS to point clients to the wrong update servers under an attacker’s control. Here, they were able to somehow inject the source code into the production build code at SolarWinds, which was then signed by SolarWind’s legitimate code signing certificate. The result is that the updates are trusted by Windows because of the code signature.
- Hard to Detect: We are just now seeing the ramifications of this attack, which appears to have been launched way back in the spring. Since the code waits up to 2 weeks after being dropped to perform any actions, and doesn’t affect the production of the systems, it has remained undetected for months or longer. The communications to their command and control servers even “mimic normal SolarWinds API communications.” Furthermore, some variations utilize an in-memory virus that runs off code hidden inside a malicious JPG image file, making this extremely difficult for even advanced anti-virus software to detect. The virus also ‘lives off the land’ by utilizing legitimate SolarWinds configurations files to store it’s own configurations and controls.
- Full Access: Because SolarWinds servers are used to monitor and control other servers within an organization, they usually have access to many privileged accounts. The malicious code allows for the attackers to move laterally to all monitored servers, and potentially access the global administrator’s password and the signing certificate for SAML token creation. With this certificate, attackers can ‘mint’ new SAML tokens for privileged access to any resource that utilizes single sign-on (SSO). So the intrusion can even spread to the organizations’ 3rd party cloud apps that use SSO. With this level of access, the attackers can use automated API calls to read or write to any mailbox in the organization.
It seems the primary motivation behind this attack is espionage, and not data destruction or extortion/monetary gain. Microsoft has observed that the attackers are “access[ing] specific users’ emails using the permissions granted to the impersonated Application or Service Principal.” The APT 29 attack group is known to be nation-state sponsored, if not a part of Russia’s intelligence unit. So it’s no surprise that these attacks have already been confirmed to have hit the US Department of Treasury and Department of Commerce. Likely, many more federal agencies have been affected, including Department of Defense assets as well as the entire Defense Industrial Base (DIB).
Detection and Mitigation
Although extremely difficult to detect due to many obfuscation techniques used, there are a few indicators of compromise (IOCs) to look for. First, the version of SolarWinds software containing the malicious updates are versions 2019.4 through 2020.2.1 HF1. The actual compromised file is: [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]. Network administrators can also look for outbound DNS queries to the domain name avsvmcloud[.]com which is used for command and control.
According to the CISA emergency alert, affected organizations should immediately power down all affected instances of SolarWinds Orion servers running within their environment, CISA states to “Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.” They recommend organizations immediately disconnect and power down the SolarWinds servers, and then completely wipe these systems, re-install Windows and the SolarWinds software from a known good version (SolarWinds has released a new patch release). Further, any accounts that had their credentials stored or accessed via the SolarWinds systems will need to have their credentials reset. Organizations should also search for any accounts created by the malicious software, and remove them immediately. It’s very likely that additional back doors have been installed as well.
The full scope of this breach has yet to be determined; we will update this post as more information becomes available.