On December 13, 2020, multiple security vendors in conjunction with CISA disclosed a software supply-chain attack involving the SolarWinds Orion platform. The disclosure detailed the activities of an advanced persistent threat (APT) adversary that was able to gain access to SolarWinds systems to create trojanized updates to the Orion platform between March 2020 and possibly as recently as December 2020. The trojanized updates included a custom, digitally signed backdoor called SUNBURST. SolarWinds Orion is a widely used network infrastructure monitoring and management platform with a reported customer base of over 18,000. The following versions may be affected:
At this time, the full scope of the attack remains under investigation. What is known is that the attack was executed by a truly sophisticated adversary with a deep understanding of operational security and complex tradecraft. Based on publicly available data, this adversary demonstrated significant efforts to evade, obfuscate, and clean-up using techniques such as steganography, fingerprinting techniques to identify both target systems as well as analysis systems, rotating infrastructure with a focus on geolocation proximity, as well as executing code in memory as much as possible. These techniques, in combination with using a digitally signed component of a trusted software platform as the initial infection vector, are indicative of a highly skilled and covert adversary willing to expend resources to assure the success of their operation.
Zscaler suggests that all organizations should take several immediate actions, described below, in addition to reviewing the existing security policies and best practices available to Zscaler customers.
These actions are recommended for any organization that may be impacted by the SolarWinds event. They are not intended to be a comprehensive guide to all actions that an organization may take, and each organization should perform its own due diligence to assess impact and risk.
Organizations should immediately identify all systems that may have SolarWinds Orion installed. Once the systems are identified, the version should be checked against the list of impacted versions. Depending on the result of the version(s) installed, additional responses may be required. Even if a version is not found on the impacted version list, it may be prudent to perform cursory checks to confirm there is no impact to the organization.
If an affected version of Orion is found, that system should be immediately taken offline and all network traffic blocked inbound and outbound. Any system or user accounts associated with the affected system should be disabled and reviewed for legitimacy as well as access. If possible, a forensics image of the affected system should also be collected.
Network activity
Based on public reporting, a SolarWinds Orion system affected by this event—meaning that the SUNBURST backdoor had been successfully installed—would begin network communication to its first stage command and control (C&C) server at avsvmcloud[.]com. While this activity does indicate that the affected system was within the target radius of the attack, it does not confirm additional compromise or post-exploitation actions. Zscaler Internet Access (ZIA) customers may be able to perform this search within the DNS Insights or Web Insights area in the portal, or within the log aggregator/SIEM of choice where ZIA logs are sent. This data will however be limited to systems that have their network traffic routed to ZIA.
The following network indicators may be used to perform a sweep for a timeframe extending back to March 2020 or further to discover possible compromised systems (note: additional indicators may be discovered as additional data is disclosed).
Domains
avsvmcloud[.]com digitalcollege[.]org freescanonline[.]com deftsecurity[.]com thedoccloud[.]com websitetheme[.]com highdatabase[.]com incomeupdate[.]com databasegalore[.]com panhardware[.]com zupertech[.]com seobundlekit[.]com lcomputers[.]com virtualdataserver[.]com webcodez[.]com infinitysoftwares[.]com ervsystem[.]com bigtopweb[.]com - Added 1/20/21 in relation to RainDrop
IPs
13.59.205.66 54.193.127.66 54.215.192.52 34.203.203.23 139.99.115.204 5.252.177.25 5.252.177.21 204.188.205.176 51.89.125.18 167.114.213.199
All other internet-bound destinations from the Orion system should also be examined. Additionally, all network activity originating from SolarWinds Orion systems to other internal systems should be reviewed for potential lateral movement. This may prove challenging as most Orion deployments likely allow it to have privileged access across the network to a variety of systems. However, it may be possible to carve out a smaller set of data to initially analyze by suppressing known-good or expected behaviors from the potentially affected Orion system.
Endpoint
The SUNBURST backdoor is a digitally signed DLL file with a specific filename and hash. The existence of this file on an Orion server is indicative that the adversary was able to gain unauthorized access to the system. Additional post-exploitation behaviors may have been performed by the adversary, indicating a successful intrusion. The following indicators and behaviors may assist in confirming a compromise.
MD5 hashes
b91ce2fa41029f6955bff20079468448 d5aad0d248c237360cf39c054b654d69 2c4a910a1299cdae2a4e55988a2f102e 846e27a652a5e1bfbd0ddd38a16dc865
Filename
SolarWinds.Orion.Core.BusinessLayer.dll
Behaviors
User account activity
Once SUNBURST has been deployed, the adversary will most likely begin to perform reconnaissance actions using the privileges of the Orion system and explore what is available in terms of additional assets to compromise or actions to take. The following behaviors may have been observed on the affected Orion system or other systems that have had communication with the affected system.
As described in our ThreatLabZ blog post, Zscaler immediately deployed protections to all customers and continues to deploy additional protections and countermeasures as more information becomes available. In addition, as we had disclosed in our Trust Advisory, Zscaler was not impacted by this event. This may, however, be an opportunity for organizations to reassess their security policies and confirm alignment with documented best practices and recommended policies as described within our documentation, which covers recommendations, such as:
Zscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: zscaler.com/solarwinds-cyberattack
By submitting the form, you are agreeing to our privacy policy.