© Cysiv LLC, 2019. All rights reserved. 1

Threat Report: SolarWinds Supply Chain Attack and RCE Vulnerability

January 13th, 2021

© Cysiv Inc, 2021. All rights reserved. 2

Table of Contents

1 EXECUTIVE SUMMARY .......................................................................................... 3

2 DETECTION ............................................................................................................. 5

3 ANALYSIS ............................................................................................................... 6

3.1 The Supply Chain Attack ......................................................................................................6 3.1.1 Breach Time Line...................................................................................................................................... 7 3.1.2 SunBurst Backdoor................................................................................................................................... 7 3.1.3 Post-Infection Activities ......................................................................................................................... 10

3.2 CVE-2020-10148 ................................................................................................................ 10 3.2.1 The Vulnerability .................................................................................................................................... 10 3.2.2 SuperNova Web Shell Backdoor ............................................................................................................ 11

4 REFERENCES ....................................................................................................... 12

Table of Figures

Figure 1 – Different Attack Vectors of SunBurst and SuperNova ................................................ 3

Figure 2 – Products Affected by SunBrust .................................................................................. 5

Figure 3 – Key Events of the SolarWinds Supply Chain Attack .................................................. 6

Figure 4 – Breach Time Line ...................................................................................................... 7

Figure 5 – SunBurst/Soloriage Initialization Steps ...................................................................... 8

Figure 6 – Domain Generation Algorithm (DGA) ........................................................................ 9

Figure 7 – Generated Domains’ Structure .................................................................................. 9

Figure 8 – SuperNova Web Shell Code ....................................................................................11

© Cysiv Inc, 2021. All rights reserved. 3

1 EXECUTIVE SUMMARY

SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. The company was compromised by an advanced persistent threat (APT) back in March 2020 in a textbook supply chain attack that produced a long period of exposure with enormous potential impact to SolarWinds customers. The issue was discovered in December 2020, but evidence suggests the threat actor behind the incident had gained access to SolarWinds internal systems since at least October 2019. Between March and June 2020, the threat actor inserted a backdoor malware application named Sunburst (also known as Solorigate) into the Orion software build system. A second web shell backdoor named SuperNova was later found in the systems of victims when the incident was investigated. The SunBurst backdoor is spread using the supply chain attack vector to SolarWinds Orion platform users while SuperNova web shell was uploaded to vulnerable SolarWinds Orion instances using an API authentication bypass vulnerability (CVE-2020-10148) that allows remote code execution (RCE). Although the two malwares were discovered in the same incident, there is no clearly observed relationship between them, indicating that there might be separate threat actors behind the two backdoor malware attacks. Figure 1 illustrates different attack vectors used to spread SunBurst and SuperNova web shell backdoors.

Figure 1 – Different Attack Vectors of SunBurst and SuperNova

© Cysiv Inc, 2021. All rights reserved. 4

A supply chain attack, also known as a third-party attack, occurs when your system is compromised by a vulnerability that exists with a outside partner, provider or vendor that has access to your systems and data. In this case, the SunBurst backdoor was inserted into the SolarWinds Orion software build system in March, 2020. This supply chain attack is particularly sophisticated in its obfuscation because the malicious version of the dynamic-link library “SolarWinds.Orion.Core.BusinessLayer.dll”, which contains the backdoor, has a valid SolarWinds signature. It also lies dormant for 12 to 14 days before taking malicious action, which makes detection more difficult. Due to these “features”, the SunBurst backdoor was able to hide under the radar for months before it was uncovered. The API authentication bypass vulnerability (CVE-2020-10148) that allows remote code execution (RCE) is less sophisticated but affects almost all versions of the Orion Platform. The vulnerability allows attackers to upload and execute other malware on vulnerable systems, and SuperNova is only one of the possible payloads. The supply chain attack and the RCE vulnerability affected many public and private organizations around the world for months before the first report was published in the middle of December 2020. SolarWinds has currently identified 18,000 customers of its products that may be affected by the SunBurst backdoor, and almost all of its Orion Platform versions older than 2020.2.1 HF2 are vulnerable to the CVE-2020-10148 security flaw. Many high-profile entities have disclosed that they were breached because of the incident a few days after the first report was published and the number keeps increasing as the incident unfolds. We expect that there will be many more breaches related to this supply chain attack discovered in the next few months. Cysiv has taken active measures to ensure its clients are protected from attackers that might attempt to exploit the SolarWinds breach. We published a Security Advisory to address the incident and this report expands key information about the breach and provides in-depth analysis for detection and remediation. We expect that cleaning and confirming removal of the threat from compromised systems will be challenging for organizations due its sophisticated nature and because there could be additional malware installed in the systems. Therefore, organizations without the expertise to investigate and respond to this incident should immediately seek help from cyber security companies.

Protection Provided by Cysiv:

Cysiv SOC-as-a-Service provides protection from a broad range of threats:

• 24x7 monitoring provides organizations with real time alerts and quick isolation and remediation to contain a threat during the early stages of an attack to prevent a compromise, data loss or breach.

• Human-led threat hunting helps to identify suspicious activity and digital footprints that are indicative of an intrusion.

• Anti-malware that may already be deployed (or can be deployed by Cysiv) on endpoints, for users, and that can be monitored as part of the Cysiv service, will constantly monitor for abnormal activities and block any connection to suspicious URLs, IPs and domains.

© Cysiv Inc, 2021. All rights reserved. 5

• Anti-malware that may already be deployed (or can be deployed by Cysiv) on servers and workloads, and that can be monitored as part of the Cysiv service, uses a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless malware. Additionally, it will monitor events and quickly examines what processes or events are triggering malicious activity.

• Network security appliances that may already be deployed (or can be deployed by Cysiv) and that can be monitored as part of the Cysiv service will detect malicious attachments and URLs, and are able to identify suspicious communication over any port, and over 100 protocols. These appliances can also detect remote scripts even if they’re not being downloaded in the physical endpoint.

2 DETECTION

Information provided in this section on the key artifacts and behaviors for the backdoors and the threat actors behind them can be used to scan your system to determine if it is vulnerable, perform more in-depth digital forensics, and help mitigate the threats. The list of SolarWinds products affected by the SunBrust backdoor are listed in Figure 2.

Figure 2 – Products Affected by SunBrust

Orion Platform Version File Version SHA256

2020.2

2020.2 HF1

2020.2.5300.12432 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

2020.2 RC2 2020.2.5200.12394 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

2020.2 RC1 2020.2.100.12219 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b

2019.4 HF5 2019.4.5200.9083 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

The CVE-2020-10148 vulnerability affects any Orion Platform version older than 2020.2.1 HF2 (except 2019.4 HF 6). Note that although the vulnerability was exploited to spread SuperNova web shell, it can be exploited to spread any other malware. The scope means that almost all customers of the SolarWinds Orion Platform are considered vulnerable to at least one of the two threats. We recommend that SolarWinds Orion Platform customers assume that their systems have been compromised, upgrade their systems to the version 2020.2.1 HF2 or 2019.4 HF 6 as a hotfix, and execute incident response procedures immediately. Figure 3 lists the main phases and events surrounding the SolarWinds supply chain attack.

© Cysiv Inc, 2021. All rights reserved. 6

Figure 3 – Key Events of the SolarWinds Supply Chain Attack

Note that phase one to three are the same for all victims: however, the fourth phase can differ between victims. More in-depth analysis related to the kill-chain is presented in section 3.1. The SuperNova web shell backdoor can be detected by scanning the dynamic link library app_web_logoimagehandler.ashx.b6031896.dll or HTTP requests to the URL path “/Orion/logoimagehandler.ashx” with four URL parameters: “clazz”, “method”, “codes”, and “args”. Attackers can also exploit the CVE-2020-10148 vulnerability to spread other malware. Please refer to section 3.2 for detailed information.

3 ANALYSIS

3.1 The Supply Chain Attack

SolarWinds Orion Platform is a widely used network management system. Its customer base includes private, government, and security organizations. The supply chain attack targeting SolarWinds customers is not the first of its kind, but due to it having gone unnoticed for over a year and the breadth of systems affected, it has a very widespread scope of impact.

© Cysiv Inc, 2021. All rights reserved. 7

3.1.1 BREACH TIME LINE

The supply chain attack targeting SolarWinds customers was hidden for months before it was discovered and detailed investigations began. Figure 4 illustrates the main time-line of the incident.

Figure 4 – Breach Time Line

Although the SunBurst backdoor was inserted into the Orion software build system in March 2020, some evidence suggests that the threat actor behind the incident had gained access to the SolarWinds system since at least October 2019.

Between March 2020 and December 15, 2020, the threat actor(s) behind the supply chain attack gained access to the systems of SolarWinds customers via the infected Orion Platform software without being detected. The threat actor(s) were able to operate undetected long enough to exfiltrate data and install additional backdoors/malware. Therefore, applying the version 2020.2.1 HF2 or 2019.4 HF 6 hotfix alone is not guaranteed to eliminate all related threats. Threat modeling and incident response procedures will likely be needed to evaluate and seal all related breaches.

3.1.2 SUNBURST BACKDOOR

Once installed via the affected Orion platform software, the Sunburst backdoor will not communicate with its command and control (C2) servers immediately. It begins its malicious actions after a dormant phase, which is up to two weeks in duration. The backdoor communicates with its C2 servers via hypertext transfer protocol (HTTP), and it mimics legitimate Orion platform software behaviors and network traffic to reduce suspicion. The backdoor is also equipped with anti-forensic and anti-detection techniques.

© Cysiv Inc, 2021. All rights reserved. 8

3.1.2.1 Sunburst Malicious Code Injection Point

The SunBurst backdoor was inserted in the ‘SolarWinds.Orion.Core.BusinessLayer.dll’ DLL, under a new class named “OrionImprovementBusinessLayer”. Figure 5 shows the steps SunBurst takes to avoid detection and start its malicious activities.

Figure 5 – SunBurst/Soloriage Initialization Steps

The numbered steps in Figure 5 can be explained as following:

1. Checking the hash value of the current process name to make sure the DLL is loaded by

solarwinds.businesslayerhost.exe.

2. Enforcing dormant phase of 12 to 14 days.

3. Creating a named pipe "583da945-62af-10e8-4902-a8f205c72”.

4. Obtaining the name of the domain joined by the current machine.

5. If the machine does not join any domain or the joined domain matches the regular

expression "(?i)([^a-z]|^)(test)([^a-z]|$)" or "(?i)(solarwinds)" then the machine is not a

potential victim and the backdoor will terminate.

6. Generating a UserID by calculating hash value of (MAC address + Domain Name +

Machine Guid).

The SunBurst backdoor also tries to detect the analysis tools and security software, such as Wireshark, Windbg, or groundling32.sys to avoid being detected or analyzed.

© Cysiv Inc, 2021. All rights reserved. 9

3.1.2.2 Sunburst C2 Domain Generation

After the initial reconnaissance steps, the SunBurst backdoor will generate its command and control (C2) domain using the domain name generation algorithm shown in Figure 6.

Figure 6 – Domain Generation Algorithm (DGA)

The order and the values of domain1, domain2, and domain3, as well as the structure of the generated C2 domains, are illustrated in Figure 7.

Figure 7 – Generated Domains’ Structure

Although the SunBurst backdoor uses many advanced techniques to avoid detection, it determines its C2 server using a fixed domain for its domain generation algorithm (DGA), which makes it easy to detect. The generated domain is always a subdomain of avsvmcloud[.]com as shown in Figure 7. Therefore, a rule that matches CNAME DNS requests for any subdomain of avsvmcloud[.]com can detect the existence of the backdoor in the system.

© Cysiv Inc, 2021. All rights reserved. 10

3.1.2.3 SunBurst Backdoor Functionality

The SunBurst backdoor is capable of retrieving and executing commands, including:

• Collecting system information

• Deleting, writing, transferring and executing files

• Reading, setting, and deleting registry keys/values

• Disabling system services

• Computing file hash

• Rebooting the system

With these commands, the Sunburst backdoor is capable of stealing information and installing other malware on the infected host as well as supporting lateral movement in the network.

3.1.3 Post-Infection Activities

The post-infection activities may vary between different victims. It has been observed that the threat actor behind the supply chain attack used living off the land (LOL) tools for lateral movement, such as:

• Powershell -nop -exec bypass –EncodedCommand

• C:\Windows\System32\rundll32.exe to run malicious DLLs

Some second-stage payloads were also dropped by the threat actor, such as:

• Cobalt Strike software

• TearDrop malware

• Beacon malware

The Cybersecurity and Infrastructure Security Agency (CISA) revealed that the threat actor also used other techniques in their kill chain. For example, abusing security assertion markup language (SAML) tokens for data exfiltration via authorized application programming interfaces (APIs) or stolen secret keys to bypass Duo’s multi-factor authentication protecting access to Outlook Web App (OWA).

3.2 CVE-2020-10148

3.2.1 THE VULNERABILITY

CVE-2020-10148 was published on Dec 16, 2020 after the SuperNova web shell backdoor was found on Orion Platform instances impacted by the supply chain attack. This vulnerability is not related to the supply chain attack and was used to spread SuperNova web shell backdoor. However, it could be exploited to spread other malware.

© Cysiv Inc, 2021. All rights reserved. 11

The vulnerability allows attackers to bypass SolarWinds Orion API authentication by adding one of the following parameters in the Request.PathInfo of a URI request:

• WebResource.adx

• ScriptResource.adx

• i18n.ashx

• Skipi18n

Vulnerable versions of SolarWinds Orion Platform will set the SkipAuthorization flag and allows attackers to execute API commands.

3.2.2 SUPERNOVA WEB SHELL BACKDOOR

The Orion library named app_web_logoimagehandler.ashx.b6031896.dll is overwritten by a trojanized version that contains the SuperNova web shell backdoor by exploiting the CVE-2020-10148. The original DLL exposes an HTTP API through the URL path “/Orion/logoimagehandler.ashx” and only responds to queries with the URL parameter “id” with requested logo images. However, the trojanized version of the DLL also serves HTTP requests with four URL parameters: “clazz”, “method”, “codes”, and “args” as shown in Figure 8.

Figure 8 – SuperNova Web Shell Code

The web shell will compile the parameters and execute the code in memory on the fly to avoid leaving any artifact after the execution of the malicious code. In term of functionality, SuperNova web shell can perform any activity supported by the SunBurst backdoor despite is simplicity.

© Cysiv Inc, 2021. All rights reserved. 12

4 REFERENCES

• https://www.solarwinds.com/securityadvisory

• https://cyber.dhs.gov/ed/21-01/

• https://us-cert.cisa.gov/ncas/alerts/aa20-352a

• https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-

cyber-attacks/

• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-

solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

• https://nvd.nist.gov/vuln/detail/CVE-2020-10148

Note: A comma-separated values (.csv) file of more IOCs is available separately.

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b

eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed

c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77

ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc

d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7

292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

Cysiv LLC

225 E. John Carpenter Freeway, Suite 1500, Irving, Texas, USA, 75062

www.cysiv.com sales@cysiv.com