Target Selection: SolarWinds' Orion 'Big Fish' Most at RiskSuspected Cyberespionage Operators Likely Only Hacked the Juiciest of Targets
As befits any data breach investigation that is rapidly unfolding in the public eye, more details about the SolarWinds breach continue to appear seemingly on an hourly basis.
Unfortunately, newly discovered victims are continuing to come forward at nearly the same pace, especially because attackers appear to have been operating undetected for at least nine months after successfully Trojanizing multiple versions of SolarWinds' Orion network-monitoring security software, beginning in March. The Trojanized software was still available for download on Monday, and for some breached organizations, attackers may still be inside their network.
Another measure of the problem: On Monday, SolarWinds removed a list of selected customers from its website, although an archived customer list remains online.
SolarWinds says it has 300,000 organizations as customers, and 18,000 of them were running a version of its Orion software that had been Trojanized by attackers. The hackers added a backdoor - dubbed "SUNBURST" by FireEye - to a legitimate SolarWinds software library named "SolarWinds.Orion.Core.BusinessLayer.dll" (see: SolarWinds Incident Response: 4 Essential Security Alerts).
FireEye says it has seen multiple versions of SUNBURST in the wild.
Victims identified so far include FireEye, which discovered the attack campaign, and reportedly at least five U.S. government agencies: the Commerce, Homeland Security, State and Treasury departments, as well as the National Institutes of Health.
Other SolarWinds customers that may be vulnerable include 425 of the 500 largest publicly traded U.S. companies, as well as all five branches of the U.S. military, the Pentagon, NASA and the National Security Agency.
On Tuesday, security blogger Brian Krebs reported that Microsoft appears to have seized a domain involved in the attackers' command-and-control infrastructure. That could lead to researchers being able to identify more organizations' environments that were in communication with the attackers' infrastructure.
What's on the Menu?
News reports referencing anonymous sources say the Russian government-backed hacking team Cozy Bear, aka APT 29, is suspected of launching these attacks. So this could be a cyberespionage operation, with spies limiting their efforts to only the juiciest of targets.
If so, expect the MO of this operation to mirror previous campaigns, such as the backdoor inserted into Avast's CCleaner software that was discovered in 2017 (see: Trojanized Avast CCleaner Attack Targeted Major Tech Firms).
Such attacks typically unfold in multiple stages, from least damaging to most concerning, as the operators focus their efforts:
- Opportunistic: Infected systems broadcast their existence to attackers' command-and-control infrastructure.
- Victims of interest: Attackers conduct reconnaissance of more interesting-looking victims.
- High-value targets: Attackers more thoroughly breach the most valuable targets and exfiltrate extensive quantities of data.
"Here is the good news: No adversary has enough human resources to effectively exploit every potential victim. They pretty much have to focus on those they care most about," tweets Dmitri Alperovitch, the co-founder and former CTO of cybersecurity firm CrowdStrike.
In other words, most Orion customers running the backdoored software - potentially up to 18,000 organizations - will have fallen only into the first stage. The victim count for later attack stages remains to be seen.
In its analysis of this campaign, FireEye says that, for some targets, the attackers pushed "a memory-only dropper" that it dubbed "TEARDROP," which "does not have code overlap with any previously seen malware."
FireEye says TEARDROP appears to have installed a customized version of the Cobalt Strike Beacon penetration-testing software.
Attackers Trojanized Orion
The Orion product does not auto-update. Rather, users have to install updates themselves, which suggests that the attackers managed to sneak their backdoor into SolarWinds' software development processes.
"Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll," security researchers at Microsoft said in a Sunday blog post.
SolarWinds recommends that users exclude that DLL file from antivirus scans, because otherwise it might trigger false security alerts.
"Compromising that DLL was well thought out," tweets cybersecurity expert Alan Woodward, who's a visiting professor at the University of Surrey in England. "If the antivirus was set to explicitly exclude the directory holding the product's DLLs, then regardless of any change, it would not have scanned it. So even if the malware were known about by the antivirus, it would be bypassed."
Cybersecurity firm Volexity, based in Reston, Virginia, says that, based on information released by FireEye, it has now tied a previous investigation - into a breach of an unnamed think tank - to this campaign.
It says the same group of attackers - dubbed "UNC2452" by FireEye and "Dark Halo" by Volexity - breached the think tank three times.
First, it used "multiple tools, backdoors and malware implants that had allowed the attacker to remain undetected for several years" before being found and ejected.
Next, the same attackers exploited "a vulnerability in the organization's Microsoft Exchange Control Panel," and also used "a novel technique to bypass Duo multifactor authentication to access the mailbox of a user via the organization's Outlook Web App service." In the final incident, the attackers "breached the organization by way of its SolarWinds Orion software in June and July."
Existential Security Problem
Many breached organizations claim to have been hit by sophisticated hackers, or sometimes nation-state attackers, to try to reduce their perceived culpability (see: Yahoo Breach: The Great 'Nation-State' Cop Out). But in this campaign, those descriptions both appear to legitimately apply.
How in the world would customers be able to detect such sophisticated malfeasance?
There are no easy answers to that question, as information security veterans, such as Jeremiah Grossman, CEO at Bit Discovery, have been highlighting. Notably, the same tactics were used in the 2017 NotPetya attack, which the U.S. government has accused Russia of perpetrating.
Did we ever land on a good prophylactic solution after NotPetya? UEBA may be the best we can do? It's a super hard and apparently very rare problem.— Tod Beardsley (@todb) December 14, 2020
"Did we ever land on a good prophylactic solution after NotPetya?" tweets Tod Beardsley, director of research at Rapid7, adding that user and entity behavior analytics, or UEBA, might be part of the solution, but not a complete one. "It's a super hard and apparently very rare problem."