Solorigate/Sunburst : FireEye Breach Leveraged SolarWinds Orion Software

Animesh Jain

Update Dec 23, 2020: Added new section describing how to reduce risk with File Integrity Monitoring.

Update Dec 22, 2020: FireEye Red Team tools & Solorigate/SUNBURST
On December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):

  • Active Attacks
  • Solorigate SUNBURST (New RTI)

Original Post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. FireEye has confirmed the attack leveraged trojanized updates to SolarWinds Orion IT monitoring and management software.

A highly skilled manual supply chain attack on the SolarWinds Orion IT network monitoring product allowed hackers to compromise the networks of public and private organizations, FireEye said. Meanwhile, SolarWinds advises customers to upgrade to SolarWinds Orion Platform version 2020.2.1 HF 1 or 2019.4 HF 6 as soon as possible. SolarWinds also recommends all customers update to the additional hotfix release, 2020.2.1 HF 2, as it both replaces the compromised component and provides several additional security enhancements.

Threat Hunting for Solorigate/SUNBURST  

It is recommended to hunt for the evidence of exploitation of this attack, as traditional antivirus tools may not be aware of the attack. In a support advisory originally date from 2018, SolarWinds had recommended exempting their products from AV scans and group policy restrictions in order to run.  

The compromised file in the SolarWinds supply chain attack was SolarWinds.Orion.Core.BusinessLayer.dll. You can hunt for the existence of this file by executing the following QQL query from Qualys Multi-Vector EDR. If this DLL has been found in your environment, you should immediately upgrade your SolarWinds deployment as described in the security advisory

file.name:SolarWinds.Orion.Core.BusinessLayer.dll and file.properties.certificate.hash: 0fe973752022a606adf2a36e345dc0ed

Based on the hashes provided by FireEye, a more targeted query can be written as: 

(file.hash.sha256:[`32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77`, `ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6`, `019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134`, `dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b`, `eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed`, `c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77`, `ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c`, `a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc`, `d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af`, `c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71`] or file.hash.md5:[`2c4a910a1299cdae2a4e55988a2f102e`, `846e27a652a5e1bfbd0ddd38a16dc865`, `b91ce2fa41029f6955bff20079468448`])

Additionally, according to CISA the evidence of C:\Windows\SysWOW64\netsetupsvc.dll should be considered suspicious and reported as an incident. The netsetupsvc.dll file is associated with the Microsoft Network Setup Service, which is a legitimate service and DLL when loaded from System32. The attacker appears to be masquerading as legitimate software to evade detection.

file.name:netsetupsvc.dll and file.path:`C:\windows\syswow64` and file.properties.certificate.signed: false 

The SolarWinds DLL file is a backdoor which then installs a Windows service to execute malicious code. Evidence of this can be detected by looking for the SolarWinds.BusinessLayerHost.exe process being ran. Evidence of this process execution can be hunted for with the following QQL query: 

type:`process` and action:`running` and process.name:SolarWinds.BusinessLayerHost.exe 

Based on the information provided by FireEye, a more targeted query can be written as: 

type:FILE and action:WRITE and parent.name:`solarwinds.businesslayerhost.exe` and file.extension:[`exe`, `dll`, `ps1`, `jpg`, `png`] 

Once malicious code has been executed, the malicious DLL then establishes a connection to avsvmcloud[.]com to download additional payloads, move laterally, and exfiltrate data.  

Using this level of access, the attacker has been observed to steal credentials and increase privileges. Once access to highly privileged accounts is achieved, the attacker can achieve their actions on objectives in any number of ways. If any of these indicators has been seen in your environment, you should perform a thorough analysis of the environment looking for new accounts, external DNS requests, and other indicators to expose the breadth of the breach.  

FireEye Red Team Tools & Solorigate/SUNBURST

On December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environments.

Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):

  • Active Attacks
  • Solorigate Sunburst (New RTI)

Identify SolarWinds Orion Assets using Global IT Asset Inventory 

 Qualys Global IT Asset Inventory allows you to gain visibility into SolarWinds Orion Assets using hybrid data collection sensors such as network scanners and Qualys Cloud Agent.  

Discover SolarWinds Orion Vulnerability 

Qualys has issued the information gathered (IG) QID 13903 to help customers track systems on which SolarWinds Orion is installed. This QID can be detected remotely using unauthenticated scan or via Windows authenticated scan or the Qualys Cloud Agent

QID 13903: SolarWinds Orion Detected

To identify the presence of the hotfix issued by SolarWinds, Qualys has issued authenticated QID 374560: 

QID 374560 : SolarWinds Orion Code Compromise  

These QIDs are included in signature version VULNSIGS-2.5.57-3 and above and Cloud Agent manifest version 2.5.57.3-2 and above. 

With Qualys Unified Dashboard, you can track SolarWinds Orion vulnerabilities, impacted hosts, their status and overall management in real time from vulnerabilities to EDR detections. Enable trending so you can keep track of these vulnerability trends across your environments. The dashboard shows Vulnerabilities for Solorigate/SUNBURST in VM/VMDR & EDR & FIM & GA.  Unified Dashboard contains 50+ widgets from EDR & VM. 

Realtime Detection and Analysis of Solorigate/SUNBURST Events with Qualys FIM 

You can create a monitoring profile in Qualys File Integrity Monitoring with specific parameters to define the asset scope for easy monitoring. A monitoring profile also reduces the efforts required for monitoring the file changes in your organization.

Once you have the Profile set up, you can use the following QQL to fetch the events related to SolarWinds, which is displayed in the Event Review tab:

file.name:`netsetupsvc.dll` or file.name:`SolarWinds.Orion.Core.BusinessLayer.dll` or file.name:`app_web_logoimagehandler.ashx.b6031896.dll` or file.name:`SolarWinds-Core-v2019.4.5220-Hotfix5.msp` or file.name:`OrionImprovementBusinessLayer.2.cs` or file.name:`gracious_truth.jpg`) or actor.process:`SolarWinds.BusinessLayerHost.exe` or actor.process:`SolarWinds.BusinessLayerHostx64.exe` or actor.process:`Solarwinds-Orion-NPM.exe` 

Click on any of the events to obtain the comprehensive list of who-what-when details of the file change activities along with the respective time stamps.

You can leverage the event analysis to create correlation rules and to configure automated alerts to be sent to authorized users upon incidents of the same nature. This ensures that you are always in control of the security and integrity of your assets and the data stored in them. 

The real-time events and alerts ensure a quicker response, so that the suspicious activities are restricted and your network is secured. 

Reduce Risks by Hardening Configuration of SolarWinds Orion 

Security Hygiene Controls for Reducing Risk of SolarWinds Orion Compromise (SUNBURST/Solorigate) 

Patching and updating software are mandatory and a critical part of your organization’s security. If it’s not possible to patch/update vulnerable software, the Qualys Configuration Management policy “Security Hygiene Controls for Reducing Risk of SolarWinds Orion Compromise (SUNBURST/Solorigate)” provides additional risk reduction related to the SolarWinds Orion software vulnerability beyond that provided by the CIS Level 1 Security recommendations/controls for Windows and IIS systems.  

Control List:  

CID Statement 
14297Status of the open network connections and listening ports (Qualys Agent only) 
14916 Status of Windows Services 
16230 Status of the ‘X-Powered-By’ header within the IIS configuration file (server-level) 
20053 Status of the ‘X-Powered-By’ response header (site-level) 
20048 Status of the ‘X-AspNet-Version’ Header response header (Server Level) 
20054 Status of the ‘X-AspNet-Version’ Header response header (Site Level) 
16225 Status of the ‘removeServerHeader’ attribute within the IIS configuration file present on the host 
20055 Status of the ‘removeServerHeader’ requestFiltering setting (site-level) 

Easily track the overall security hygiene of Solorigate/SUNBURST systems. The screenshot below shows the total number of passed and failed controls for the scoped assets. 

View control posture details with remediation steps. The screenshot below shows overall the details of the control posture status along with actual evidence from the target.

Solution 

Users are advised to upgrade to SolarWinds Orion Platform version 2020.2.1 HF 1 or 2019.4 HF 6 as soon as possible. An additional hotfix release, 2020.2.1 HF 2 is available and SolarWinds recommends all customers update to release 2020.2.1 HF 2, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

Get Started Now 

Start your Qualys VMDR trial for automatically identifying, detecting and patching the high-priority SolarWinds Orion vulnerability. 

Start your Qualys Multi-Vector EDR trial to protect the entire attack chain, from attack and breach prevention, to detection and response using the power of the Qualys Cloud Platform – all in a single, cloud-based app. 

Frequently Asked Questions (FAQ): 

Q: How do I check for Solorigate/Sunburst) vulnerability using Qualys VMDR? 
A: Qualys released “QID 374560 – SolarWinds Orion Code Compromise (Solorigate/Sunburst)” to address this vulnerability. This QID can be detected remotely using unauthenticated scan or via Windows authenticated scan or using Qualys Cloud Agent

Q: What is the detection logic for QID 374560? 
A: QID 374560 Detection Logic (Authenticated): 

 The QID extracts Solarwinds Orion installation path from registry key “HKLM\SOFTWARE\SolarWinds\Orion\Core”, value “InstallPath”, then compare file version of “SolarWinds.Orion.Core.BusinessLayer.dll” with patched versions 

In case, where registry keys are not accessible, we skip the path extracting and directly check file versions of: “%ProgramFiles%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll” and “%ProgramFiles(x86)%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll”. 

QID Detection Logic (Unauthenticated): 
The QID detects affected Solarwinds Orion installation from URL “Orion/Login.aspx” 

Q: Which versions of SolarWinds Orion are affected? 
A: On December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform. Per CISA advisory, following versions are affected:  

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083 
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219 
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394 
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 

Q: Why do I see less instances of SolarWinds Orion reported in my scan results? 
A: SolarWinds advisory mentions only few SolarWinds Orion versions affected by this vulnerability. You may not be running vulnerable version per advisory: 

  • For SolarWinds Orion Platform version 2019, only systems with HotFix 5 are affected. 
  • For SolarWinds Orion Platform version 2020, versions before HotFix 2 are affected 

Customers are advised to leverage IG “QID 13903 : Solarwinds Orion Detected” to identify which SolarWinds Orion version is running in their environment. 

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *