Eric Humphries
More by Eric Humphries
- Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
- How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
- Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.
Known breaches include:
FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.
U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.
Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:
- First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
- SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
- Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.
Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.
[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 383 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1737 [post_author] => 8 [post_date] => 2014-10-13 07:00:37 [post_date_gmt] => 2014-10-13 07:00:37 [post_content] => Not enough emphasis is given to IT asset management. This is one of the first things an organization needs to get under control before they can really implement any security program. Yet few people do it well, if at all. How can you possibly protect an environment if you don't know what assets make up that environment? Lets quickly define what I mean by "IT asset." An asset can be any computer, server, network device, application, database, archive of uncompiled code, or whatever that has monetary or perceived value to the business. It's easy to justify why a piece of hardware or software is an asset, as there is a direct cost involved with procurement, management, and maintenance. You also depreciate your hardware investments in your accounting books, so even those with the checkbooks are acutely aware of hardware costs and value. The not-so-obvious items are web applications and databases. Some disagree that a database is an "asset" but what if that database contains your entire customer list? Isn't that important to the business? Essentially, if your IT department spends time working on, fixing, installing, or maintaining it as a part of their day-to-day duties, it's probably an asset. There are some very basic questions you should be able to answer with a high level of precision about your assets and, if you can't, IT assets aren't being managed properly in your organization. Let me give you an example:- How many physical servers do you have?
- How many laptops does the business own?
- When were assets purchased?
- How many servers are physical vs. virtual?
- What operating systems are your systems running (and what are their patch levels)?
- What MAC addresses are assigned to each system?
- Who owns each server? How do you get ahold of them? Who is the second point of contact if they're not available?
- How many web applications do you have?
- How many licenses of Microsoft Office do you have?
- What is your total annual maintenance commitment for software?
- What is the circuit ID of your main Internet connection and what is the best number to call in case of an outage? (You don't want to have to look through years of bills to try and identify this when your business is down.)
- AssetID
- Asset type: circuit, server, desktop, laptop, router, switch, web application, standalone application, database, SAN head, NAS head, disk shelf, firewall, bridge, thin WAP, thick WAP, wifi controller, other.
- Purchased from?
- Sales contact name
- Sales contact number
- Sales contact email
- Purchase date
- Purchase order number
- Purpose
- Physical location (Minneapolis, 511, rack 12, position 13-15)
- Unit cost
- Maintenance cost
- Deploy date
- Retirement date / lifecycle information
- Data classification
- Server classification
- Circuit ID
- Emergency contact name
- Emergency contact number
- Emergency contact email
- Service Level Agreement (SLA)
- Make
- Model
- PSU (single, dual, n+1, n+2, other)
- CPU
- Memory
- IP addresses associated
- Hostnames
- MAC addresses
- Operating system (very specific)
- Virtual/physical
- Physical host ID (another AssetID if virtual)
- Has virtual guests? (is a virtual host)
- Owner & contact info
- Secondary owner & contact info
- Upstream dependencies
- Downstream dependencies
- Hardware change history
- Software change history
- Failure history
- Patch history
- Notes
- How your organization is going to perform asset discovery;
- How you plan to capture the data to populate the database;
- How you plan to keep it up-to-date and verify the integrity of the data;
- Acceptable use of assets;
- Your organization's official IT asset lifecycle for each major type of asset; and
- Data and server classification policies.
- Vulnerabilities on a website
- Vulnerabilities in software distributed by that company
- Vulnerabilities in services offered by the company
- Vulnerabilities on a public facing network or system that is maintained by that company
- Publicly leaked information on a websites like pastebin
- Sensitive documents blowing in the parking lot
- Have an employee check this box once in a while, and manually distribute the messages to those that need the information.
- Create a secondary mailbox in Exchange that people can attach to and have your infosec department manage the mailbox.
- Create a distribution group or mailing list with key members of your organization subscribed.
- Have a ticketing system monitor the mailbox and create cases or tickets automagically when something comes in.
- All messages received on SECURITY@domain.tld should send an auto-reply back to the user immediately thanking them for their submission, and include a URL to a page with more information about that company’s vulnerability process. (We could even standardize the URL, how about something like www.domain.tld/security/?)
- Within no more than 7 calendar days, the vendor MUST send a response back to the vulnerability submitter. The response should contain a case or ticket number they can reference in the future and a means of communication to check up on the status of the vulnerability. This gives the vendor an opportunity to accept the vulnerability as legitimate and issue a case or ticket number, and drop all other spam messages without assigning case numbers to bogus requests or spam messages. If no ticket number is issued within 72 hours for any reason at all, the submitter is free to disclose publically. If the submission is granted a ticket number, a three-month gag order and moratorium starts. The submitter should be reasonable and grant more time if the vendor gives a valid reason. For example, if the vulnerability were so widespread that a vendor would have to rewrite the entire application from the ground up, 3 months wouldn’t be enough time.
- Once 3 months (or whatever the agreed upon time frame) is up, the vulnerability submitter is free to speak, blog, tweet about the vulnerability as they see fit. Once the gag timer expires, the submitter’s responsibility is terminated.
- Firewall checklist (short) - short and to the point - for use on a regular basis. Use one form per device per quarter (or more frequently if you're able). NetSPI recommends that you look at your firewalls as often as you can, within reason.
- Firewall checklist (long) - same as above, but this includes some long form descriptions about why this is on the list, as well as example values. The example can be neutral, positive, or negative.
Vendors
The first place to look for security guidance is always the vendors:Microsoft Hyper-V
Microsoft released Hyper-V as a free hypervisor that runs on top of windows with Windows Server 2008. Here are a couple resources you can use: https://technet.microsoft.com/en-us/library/dd569113.aspx - Hyper-V Security Guide https://www.microsoft.com/en-us/download/details.aspx?id=16650 – Hyper-V Security Guide downloadVMware
VMware is the best known, longest running hypervisor out there. Their products have gone through a lot of changes over the years, so it’s pretty important to track the version of VMware/vSphere you’re using closely. Listed below are the hardening guides for each version:VMware 3 (Seriously? You should update!):
https://www.vmware.com/pdf/vi3_security_hardening_wp.pdfvSphere 4.0:
https://www.vmware.com/files/pdf/techpaper/VMware_vSphere_HardeningGuide_May10_EN.pdfvSphere 4.1:
https://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR-SECRTY-HRDNG-USLET-101-WEB-1.pdfvSphere 5 (brand new):
https://communities.vmware.com/servlet/JiveServlet/downloadBody/19605-102-1-26036/HardeningGuide-vSphere50-v1.0.xlsxXen
Xen is a very popular open source hypervisor. I couldn’t find any specific hardening documents for Xen, but I believe the standard Linux hardening guides will go a long way. Here is a portal for their documentation: https://xen.org/support/documentation.htmlThird Parties
Vendors are great and all, but I think objective third parties provide the most insight into the problem, as they’re not trying to sell you on how great their software is or ram virtual security appliances down your throat.Defense Information Systems Agency (DISA) STIG:
https://communities.vmware.com/servlet/JiveServlet/downloadBody/9482-102-1-6731/esx_server_stig_v1r1_final.pdfCloud Security Alliance:
https://cloudsecurityalliance.org/csaguide.pdfSANS:
https://www.sans.org/reading_room/analysts_program/vmware-guide-may-2010.pdfCIS Security Benchmarks:
https://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.virtualizationRegulatory
Aren’t regulations fun? While not exactly a security data point, regulation guidance is useful at times.PCI Security Standards Council:
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf [post_title] => Virtualization Security Resources [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => virtualization-security-resources [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:16 [post_modified_gmt] => 2021-04-13 00:06:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1201 [menu_order] => 740 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) ) [post_count] => 5 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.
While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.
For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.
Overview: SolarWinds Orion Manual Supply Chain Attack
On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.
- Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
- How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
- Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.
Known breaches include:
FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.
U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.
Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:
- First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
- SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
- Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.
Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.
[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 383 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 5 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0743aa6b0eb32e261196eef2f3b09ace [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )