SUNBURST: SolarWinds Supply-Chain Attack

Introduction

Last week FireEye shared that they experienced unauthorized access and theft of their offensive security tools used by their red team, by a sophisticated state-sponsored adversary. Although the theft of these sophisticated tools will have an impact on future attacks carried out by the adversary, how they accessed the tools was a much bigger problem. Over the weekend FireEye shared more details of their compromise and broke the news that they fell victim to a supply-chain attack involving the IT services company SolarWinds. FireEye reported the SolarWinds Orion software update had a backdoor injected into its code, which SolarWinds believed to have been included in updates released between March and June 2020. It should be noted, however, that some researchers have reported seeing activity as early as late 2019. The backdoor was dubbed SUNBURST by FireEye.

**UPDATE: 17 December 2020

We are releasing 3 threat detection packages that will allow organizations to detect SUNBURST activity in their environment.

SUNBURST Known Malicious DNS Activity

Splunk

(query_type IN (“CNAME”,”A”) AND (query=”*avsvmcloud.com” OR answer=”*avsvmcloud.com”)) OR (query_type=”A” AND query IN (“deftsecurity.com”,”freescanonline.com”, “thedoccloud.com”, “websitetheme.com”, “highdatabase.com”, “incomeupdate.com”, “databasegalore.com”, “panhardware.com”, “zupertech.com”, “freescanonline.com”, “deftsecurity.com”, “thedoccloud.com”))
| stats values(_time) as occurrences count by src, query, query_type, answer
| convert ctime(occurrences)

Elastic Lucene

((dns.question.name:”/.*avsvmcloud\\.com/” or dns.answer.name:”/.*avsvmcloud\\.com/”) and (dns.question.type:”/[Cc][Nn][Aa][Mm][Ee]|[Aa]/” or dns.answer.type:”/[Cc][Nn][Aa][Mm][Ee]|[Aa]/”)) or (dns.question.name:(“deftsecurity.com” or “freescanonline.com” or “thedoccloud.com” or “websitetheme.com” or “highdatabase.com” or “incomeupdate.com” or “databasegalore.com” or “panhardware.com” or “zupertech.com” or “freescanonline.com” or “deftsecurity.com” or “thedoccloud.com”) and (dns.question.type:”/[Aa]/” or dns.answer.type:”/[Aa]/”))((dns.question.name:”/.*avsvmcloud\\.com/” or dns.answer.name:”/.*avsvmcloud\\.com/”) and (dns.question.type:”/[Cc][Nn][Aa][Mm][Ee]|[Aa]/” or dns.answer.type:”/[Cc][Nn][Aa][Mm][Ee]|[Aa]/”)) or (dns.question.name:(“deftsecurity.com” or “freescanonline.com” or “thedoccloud.com” or “websitetheme.com” or “highdatabase.com” or “incomeupdate.com” or “databasegalore.com” or “panhardware.com” or “zupertech.com” or “freescanonline.com” or “deftsecurity.com” or “thedoccloud.com”) and (dns.question.type:”/[Aa]/” or dns.answer.type:”/[Aa]/”))

Elastic DSL

{
"bool": {
"should": [
{
"bool": {
"must": [
{
"query_string": {
"fields": [
"dns.question.type",
"dns.answer.type"
],
"query": "/[Cc][Nn][Aa][Mm][Ee]|[Aa]/"
}
},
{
"query_string": {
"fields": [
"dns.question.name",
"dns.answers.name"
],
"query": "/.*avsvmcloud\\.com/"
}
}
]
}
},
{
"bool": {
"filter": [
{
"terms": {
"dns.question.name": [
"deftsecurity.com",
"freescanonline.com",
"thedoccloud.com",
"websitetheme.com",
"highdatabase.com",
"incomeupdate.com",
"databasegalore.com",
"panhardware.com",
"zupertech.com",
"freescanonline.com",
"deftsecurity.com",
"thedoccloud.com"
]
}
}
],
"must": [
{
"query_string": {
"fields": [
"dns.answer.type",
"dns.question.type"
],
"query": "/[Aa]/"
}
}
]
}
}
]
}
}

SUNBURST Suspicious Processes for SolarWinds Orion Software

Splunk

index=sysmon sourcetype=”sysmon:xml” ParentImage = “SolarWinds.BusinessLayerHost.exe” AND NOT Image IN (“*\\SolarWinds\\Orion\\APM\\APMServiceControl.exe”, “*\\SolarWinds\\Orion\\ExportToPDFCmd.Exe”,”*\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe”, “*\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe”, “*\\SolarWinds\\Orion\\Database-Maint.exe”, “*\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe”, “*\\Windows\\SysWOW64\\WerFault.exe”)
| stats values(_time) as occurrences, values(Image) as ChildProcesses, values(CommandLine) as CommandLines count by host, ParentImage
| convert ctime(occurrences)

Elastic Lucene

parent.process.executable:”/.*[Ss][Oo][Ll][Aa][Rr][Ww][Ii][Nn][Dd][Ss]\\.[Bb][Uu][Ss][Ii][Nn][Ee][Ss]+[Ll][Aa][Yy][Ee][Rr][Hh][Oo][Ss][Tt]\\.[Ee][Xx][Ee]/” and not (process.executable:”/.*\\\\Windows\\\\SysWOW64\\\\WerFault\\.exe/” OR process.executable:”/.*\\\\SolarWinds\\.Orion\\.ApiPoller\\.Service\\\\SolarWinds\\.Orion\\.ApiPoller\\.Service\\.exe/” or process.executable:”/.*\\\\SolarWinds\\\\Orion\\\\Database-Maint\\.exe/” or process.executable:”/.*\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds\\.Orion\\.Topology\\.Calculator\\.exe/” or process.executable:”/.*\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd\\.exe/” or process.executable:”/.*\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl\\.exe/” or process.executable:”/.*\\\\SolarWinds.Credentials\\\\SolarWinds\\.Credentials\\.Orion\\.WebApi\\.exe/”)

Elastic DSL

{
"bool": {
"must": [
{
"query_string": {
"query": "/.*[Ss][Oo][Ll][Aa][Rr][Ww][Ii][Nn][Dd][Ss]\\.[Bb][Uu][Ss][Ii][Nn][Ee][Ss]+[Ll][Aa][Yy][Ee][Rr][Hh][Oo][Ss][Tt]\\.[Ee][Xx][Ee]/",
"fields": [
"process.parent.executable"
]
}
}
],
"must_not": [
{
"query_string": {
"query": "/.*\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds\\.Orion\\.Topology\\.Calculator\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\SolarWinds\\\\Orion\\\\Database-Maint\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\SolarWinds\\.Orion\\.ApiPoller\\.Service\\\\SolarWinds.Orion\\.ApiPoller\\.Service\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\Windows\\\\SysWOW64\\\\WerFault\\.exe/",
"fields": [
"process.executable"
]
}
},
{
"query_string": {
"query": "/.*\\\\SolarWinds.Credentials\\\\SolarWinds\\.Credentials\\.Orion\\.WebApi\\.exe/",
"fields": [
"process.executable"
]
}
}
]
}
}

SUNBURST Named Pipe Indicator

Splunk

index=sysmon sourcetype=sysmon:xml (EventID=17 OR EventID=18) PipeName=”583da945–62af-10e8–4902-a8f205c72b2e”
| stats values(_time) as occurrences, values(EventID) as eventID, values(PipeName) as pipeName count by host
| convert ctime(occurrences)

Elastic Lucene

event.code:(“17” or “18”) and file.name:”583da945–62af-10e8–4902-a8f205c72b2e”

Elastic DSL

{
"bool": {
"must": [
{
"query_string": {
"query": "17",
"fields": [
"event.code"
]
}
},
{
"query_string": {
"query": "18",
"fields": [
"event.code"
]
}
},
{
"query_string": {
"query": "583da945-62af-10e8-4902-a8f205c72b2e",
"fields": [
"file.name"
]
}
}
]
}
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.