Fortinet : What We Have Learned So Far about the “Sunburst”/SolarWinds Hack

12/21/2020 | 03:01pm EST
Introduction

Recently, it was reported that a nation-state threat-actor managed to infiltrate a large number of organizations-including multiple US government agencies. They did this by distributing backdoor software, dubbed SunBurst, by compromising SolarWind's Orion IT monitoring and management software update system. Based on SolarWind's data, 33,000 organizations use Orion's software, and 18,000 were directly impacted by this malicious update. As more and more details have become available, it has become clear that this is one of the most evasive and significant cyberattacks to date.

Over the past week, the FortiGuard Labs research teams have worked tirelessly to uncover more details on the attack to ensure our customers are protected, details of which can be found in our Threat Signal Blog.In this blog, we share more detail on what we have learned, the protections currently provided by products in our portfolio, as well as the proactive steps we have taken leveraging our FortiEDR platform to ensure the security of our customers.

SunBurst Campaign Overview

To help readers better understand this campaign, I will describe at a high-level the steps taken by the SunBurst malware and the threat actor after the initial infiltration.

After a successful infiltration of the supply-chain, the SunBurst backdoor- a file named SolarWinds.Orion.Core.BusinessLayer.dll-was inserted into the software distribution system and installed as part of an update package from the vendor. Once downloaded, it then lies dormant for 12 to 14 days before taking any action. Once the waiting period is over, the Backdoor takes steps to ensure it is running in one of the environments targeted by the attacker, as opposed to a lower value organization, or in a sandbox or other malware analysis environment. The attacker appears to have wanted to stay as far below the industry's radar as possible while carrying out its specific mission.

Here is a high-level overview of the steps it takes to do so:
  • Machine domain name validation. It checks the domain name of the compromised machine to ensure:
    • It doesn't contain certain strings.
    • It is not a SolarWinds domain.
    • It doesn't contain the string 'test'.
  • It validates that no analysis tools, such as WireShark, are running.
  • It also checks to ensure that unwanted security software is not running.

Once all of the validations are completed, it calls home to the threat actor and sends information to identify the breached organization. Note: Since most of the organizations breached by this malware were NOT a target of the threat actor, this is where the attack appears to have ended for many organizations.

The C2 domain name is composed from a prefix that is generated based on data from the machine. An example domain can be seen in Figure 1:

Disclaimer

Fortinet Inc. published this content on 21 December 2020 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 21 December 2020 20:00:01 UTC

© Publicnow 2020
