# Responding to Solarigate **cadosecurity.com/post/responding-to-solarigate** December 14, 2020 As you are no doubt aware, on Sunday the security software provider SolarWinds announced that installers for it’s Orion monitoring platform had been backdoored by “a nation-state”. Typical customers of SolarWinds are enterprise scale and security conscious. Reported organisations compromised through these attacks include various parts of the US government, as well as a number of large organisations in the private sector. Below we have included some suggestions for those responding to these incidents or performing forensics to confirm if they may be compromised. **Background** Reviewing the backdoored Orion installers, they match what appears to be SolarWind’s normal build process. It is likely the attackers have compromised both the SolarWind source code, and their build process to deliver backdoored updates through their normal release process. [The first backdoored installers identified so far date back to October 2019, though](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) [SolarWinds themselves have only referred to backdoored installers starting in May 2020.](https://uk.reuters.com/article/us-usa-solarwinds-cyber-idUKKBN28N0Y7) ----- [On Sunday 13th December 2020, SolarWinds sent an email to customers informing them of](https://thwack.solarwinds.com/t5/NPM-Discussions/Hackers-getting-in-via-NPM-maybe/m-p/612422) the situation: **Figure 1: Statement and email from SolarWinds** **Backdoored Orion Installers** [A number of backdoored installers have been identified, and are still being served from the](https://twitter.com/KyleHanslovan/status/1338408803503644673) SolarWinds website. Below is a non-exhaustive list of the installers: _Version 2019.4.5220.20161_ _*https://downloads.solarwinds[.]_ com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi( 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll:( a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc ) - This version is listed as Suspicious by Microsoft (likely due to the presence of SolarWinds.Orion.Core.BusinessLayer.dll) but not confirmed malicious. _Version 2020.2.5220.27327_ https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi( ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll (019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ) ----- This version is listed as Suspicious by Microsoft (likely due to the presence of SolarWinds.Orion.Core.BusinessLayer.dll) but not confirmed malicious. _Version 2020.2.5220.27327_ https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi( ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll (019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ) _Version 2020.2.5320.27438_ https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi( c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll:( ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 ) **SunBurst/Solorigate Backdoor** The file CoreInstaller.msi/OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll is what FireEye calls SunBurst and Microsoft calls Solorigate. SunBurst performs the typical firststage backdoor tasks of downloading and executing files, whilst subtly evading detection. SunBurst deploys basic Base64 encoding to hide key strings such as the command and control protocol: ----- **Figure 2: Command and Control domains from SunBurst** And impersonates normal Orion network traffic to blend in: Figure 3: Command and Control Traffic [A detailed analysis of SunBurst is available in the FireEye report, and we have included the](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) de-obfuscated source-code in Appendix B to save others having to do perform the same deobfuscation. **Later Stages of the Attack** Both Microsoft and FireEye have provided details of second stages of the attacks they have identified, including malware: ----- [SuperNova – A .NET Web shell](https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUPERNOVA/APT_Webshell_SUPERNOVA_1.yar) [CosmicGale – A Powershell credential theft script](https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/COSMICGALE/yara/APT_HackTool_PS1_COSMICGALE_1.yar) [TearDrop – A memory resident dropper](https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/TEARDROP/yara/APT_Dropper_Win64_TEARDROP_1.yar) [Cobalt Strike – A commercially available backdoor, observed dropped by TearDrop](https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike) And also attacker activity such as: [Adding new federation trusts. Microsoft recently added new detections for Modified](https://activedirectoryfaq.com/2018/06/o365-hybrid-exchange-federation-trust/) domain federation trust settings likely to hunt for this activity. [Adding OAuth credentials to Exchange](https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth) **Suggestions for Forensic Analysis** The Department of Homeland security advises agencies with SolarWinds installations, and [the required expertise, to perform a full forensic investigation:](https://cyber.dhs.gov/ed/21-01/) _a. Forensically image system memory and/or host operating systems hosting all instances of_ _SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service_ _accounts, privileged or otherwise._ _b. Analyze stored network traffic for indications of compromise, including new external DNS_ _domains to which a small number of agency hosts (e.g., SolarWinds systems) have had_ _connections._ Pay attention to Windows event logs with: Sysmon Event IDs [17 and](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017) [18 relating to named pipes](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018) Security Event ID [7045 relating to service creation, and](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697) [4702 relating to the creation of](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4702) a [scheduled task](https://twitter.com/lostinsecurity/status/1338388788524052480) [Windows Exploit Guard event ID 12, relating to a non-Microsoft-signed binary being](https://github.com/palantir/exploitguard) [blocked from loading](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) [Microsoft provides guidance on how to enable increased logging of AD FS (Active](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging) Directory Federation Services). Look for the existence of the following file: C:\WINDOWS\SysWOW64\netsetupsvc.dll (**note the normal legitimate path for this file-name is within C:\WINDOWS\SYSTEM32): Additional mitigation considerations: It is strongly suggested where practical, that sensitive systems, or systems that imply a third party risk be monitored and audited regularly. ----- We suggest where possible servers should allow whitelisted internet access only. For example, if your SolarWinds server was only allowed to access the necessary IP addresses, and or IP ranges for its function. It would help prevent communication to unknown command and control infrastructure. Always utlise the concept of least privileged access, and look to monitor account usage that is beyond its normal purpose or operation. For example, a service account performing an interactive logon or querying other services that have no relation to the accounts purposes. **About Cado Security** We have built the first cloud-native forensics and response platform for responding to security incidents. Join our pilot partner program today, [sign up for details here.](https://www.cadosecurity.com/platform) **Appendix A – Consolidated Indicators of Compromise** The file-hashes (SHA256) below relate to malicious installers we have seen and file-hashes consolidated from earlier reporting. Additional indicators of compromise are available from [FireEye,](https://github.com/fireeye/sunburst_countermeasures) [Microsoft and](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) [AlienVault OTX.](https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8) ``` 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed ``` **Appendix B – De-obfuscated SunBurst Source Code** See https://github.com/cadosecurity/MalwareAnalysis/blob/main/OrionImprovementBusinessLaye r.cs **Appendix C – SuperNova .NET WebShell** See [https://github.com/cadosecurity/MalwareAnalysis/blob/main/LogoImageHandler.cs](https://github.com/cadosecurity/MalwareAnalysis/blob/main/LogoImageHandler.cs) About The Author ----- Chris Doman [Chris is well known for building the popular threat intelligence portal ThreatCrowd, which](https://www.threatcrowd.org/) [subsequently merged into the AlienVault Open Threat Exchange, later acquired by AT&T.](https://otx.alienvault.com/) Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’s [crypto-currency theft schemes, and China’s attacks](https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004) against dissident websites, have been widely discussed in the media. He has also given interviews to print, [radio and TV such as CNN and BBC News.](https://www.youtube.com/watch?v=z_0oV_hsc08) **About Cado Security** Cado Security provides the cloud investigation platform that empowers security teams to respond to threats at cloud speed. By automating data capture and processing across cloud and container environments, Cado Response effortlessly delivers forensic-level detail and unprecedented context to simplify cloud investigation and response. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United [Kingdom. For more information, please visit https://www.cadosecurity.com/ or follow us on](https://www.cadosecurity.com/) Twitter [@cadosecurity.](https://twitter.com/CadoSecurity) [Prev Post](https://www.cadosecurity.com/introducing-our-next-stage-cado-response/) [Next Post](https://www.cadosecurity.com/botnet-deploys-cloud-and-container-attack-techniques/) -----