About 18,000 organizations around the world downloaded network management tools that contained a backdoor that a nation-state used to install malware into organizations using the software, the tool provider, SolarWinds, said Monday.
The disclosure from Austin, Texas-based SolarWinds came a day after the U.S. government revealed a major security breach that affected federal agencies and private companies. The U.S. Departments of Treasury, Commerce and Homeland Security were among the federal agencies that fell victim to hacks that gave access to email and other sensitive resources, Reuters reported. Federal agencies using the software were ordered on Sunday to disconnect systems running the software and conduct a forensic analysis of their networks.
Security firm FireEye, which revealed a serious breach of its own network last week, said hackers backed by a nation-state compromised a SolarWinds software update mechanism and then used it to infect select customers who were using a backdoor version of the company’s Orion network control. have installed tool.
The backdoor infected customers who installed an update from March to June of this year, SolarWinds said in a document filed Monday with the Securities and Exchange Commission. The implant “was introduced as a result of a compromise of the Orion software building system and was not present in the source code repository of the Orion products,” according to Monday’s filing. SolarWinds, which says it has about 300,000 Orion customers, estimates the number of affected customers to be about 18,000.
Stealing the master keys
Several factors made Orion an ideal stepping stone to networks coveted by Russian-backed hackers, who have become one of the biggest threats to US cybersecurity over the past decade. Mike Chapple, a lecturer in IT, Analytics and Operations at the University of Notre Dame, said the tool is widely used to manage routers, switches and other network devices within large organizations. The level of privileged access combined with the number of exposed networks made Orion the perfect tool for hackers to exploit.
“SolarWinds by nature has very privileged access to other parts of your infrastructure,” Chapple, a former computer scientist with the National Security Agency, said in an interview. “Imagine SolarWinds has the master keys for your network, and if you can compromise that type of tool, you can use those types of keys to access other parts of the network. By compromising that, you actually have a key to unlocking the network infrastructure of a large number of organizations.”
The hacks are part of what the federal government and officials from FireEye, Microsoft and other private companies said was a widespread espionage campaign that carried out an advanced threat actor via a supply chain attack.
In the blog post published Sunday night, FireEye said it had uncovered a global intrusion campaign that used SolarWinds’ backdoored update mechanism as a first entry into the networks of public and private organizations through the software supply chain. Publications including The Washington Post and The New York Times quoted unnamed government officials as saying that Cozy Bear, a hacking group believed to be part of Russia’s Federal Security Service (FSB), was behind the compromises.
“Based on our analysis, we have now identified multiple organizations where we see evidence of compromise dating back to Spring 2020, and we are in the process of notifying these organizations,” FireEye officials wrote. “Our analysis indicates that these compromises do not grow on their own; each of the attacks requires careful planning and manual interaction. Our ongoing investigation has uncovered this campaign and we are sharing this information in accordance with our standard practice.”
In a separate post also published Sunday night, FireEye added: “FireEye has detected a widespread campaign, which we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have started as early as spring 2020 and is currently running. Post-compromise activity following this supply chain compromise included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was carried out with considerable operational security.”
FireEye went on to say that a digitally signed part of the Orion framework contained a backdoor that communicates with hacker-controlled servers. The backdoor, planted in the Windows Dynamic Link Library file SolarWinds.Orion.Core.BusinessLayer.dll, is written to remain inconspicuous, both by remaining dormant for a few weeks and by blending in with legitimate SolarWinds data traffic. FireEye researchers wrote:
The trojanized update file is a standard Windows Installer Patch file that contains compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL is loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on the system configuration). After a dormant period of up to two weeks, the malware tries to resolve a subdomain of avsvmcloud[.]com. The DNS response returns a CNAME record pointing to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communication. The list of known malicious infrastructure is available on FireEye’s GitHub page.
Dive in further
The Orion backdoor, which FireEye calls Sunburst and Microsoft Solorigate, gave the hackers limited but critical access to internal network devices. The hackers then used other techniques to dig further. According to Microsoft, the hackers then stole signature certificates that allowed them to impersonate one of a target’s existing users and accounts via the Security Assertion Markup Language. Usually abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization information with service providers.
Microsoft’s advice stated:
- An intrusion via malicious code into the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. See also SolarWinds Security Advisory.
- An intruder using administrative privileges obtained through an on-premises attack to access an organization’s trusted SAML token-signing certificate. This allows them to counterfeit SAML tokens impersonating any of the organization’s existing users and accounts, including highly privileged accounts.
- Abnormal logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resource (regardless of identity system or vendor) and against any cloud environment (regardless of vendor) because they are configured to trust certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies can be missed by the organization.
- Using highly privileged accounts obtained through the above technique or otherwise, attackers can add their own credentials to existing application service principals, allowing them to call APIs with the permission assigned to that application.
Supply chain attacks are among the most difficult to fend off because they rely on software that is already trusted and widely distributed. SolarWinds’ Monday morning filing suggests that Cozy Bear hackers were able to infect the networks of about 18,000 of the company’s customers. It is not yet clear how many of those eligible users have actually been hacked.
The Department of Homeland Security’s Cybersecurity Infrastructure and Infrastructure Security Agency has issued an emergency directive instructing federal agencies using SolarWinds products to analyze their networks for signs of compromise. FireEye’s post here lists a variety of signatures and other indicators that administrators can use to detect infections.