More SolarWinds News

Microsoft analyzed details of the SolarWinds attack:

Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network. Other related malware includes Teardrop aka Raindrop.

Details are in the Microsoft blog:

We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.

One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection. This blog provides details about this handover based on a limited number of cases where this process occurred. To uncover these cases, we used the powerful, cross-domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in one complete and consolidated view.

This is all important, because MalwareBytes was penetrated through Office 365, and not SolarWinds. New estimates are that 30% of the SolarWinds victims didn’t use SolarWinds:

Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft’s cloud services. Another of the Advanced Persistent Threat (APT)’s targets, security firm CrowdStrike, said the attacker tried unsuccessfully to read its email by leveraging a compromised account of a Microsoft reseller the firm had worked with.

On attribution: Earlier this month, the US government has stated the attack is “likely Russian in origin.” This echos what then Secretary of State Mike Pompeo said in December, and the Washington Post‘s reporting (both from December). (The New York Times has repeated this attribution — a good article that also discusses the magnitude of the attack.) More evidence comes from code forensics, which links it to Turla, another Russian threat actor.

And lastly, a long ProPublica story on an unused piece of government-developed tech that might have caught the supply-chain attack much earlier:

The in-toto system requires software vendors to map out their process for assembling computer code that will be sent to customers, and it records what’s done at each step along the way. It then verifies electronically that no hacker has inserted something in between steps. Immediately before installation, a pre-installed tool automatically runs a final check to make sure that what the customer received matches the final product the software vendor generated for delivery, confirming that it wasn’t tampered with in transit.

I don’t want to hype this defense too much without knowing a lot more, but I like the approach of verifying the software build process.

Posted on February 3, 2021 at 6:10 AM9 Comments

Comments

OneAnonTechie February 3, 2021 10:41 AM

How do we ensure that the “in-toto” system is not hacked ?
I am not aware of any automated system which can detect hacked code all the time. Since, some of these hacks are by insiders, it would be quite difficult to detect …

Clive Robinson February 3, 2021 11:30 AM

@ ALL,

New estimates are that 30% of the SolarWinds victims didn’t use SolarWinds

So can we now please stop calling it “SolarWinds” or any other of the silly names to do with the sun. It appears that those who developed the SolarWinds product were as much as a victim as abyone else.

Further other new evidence suggests that China may well be involved…

All of which should tell you two things,

1, Do not believe what politicians spout out.
2, Wait upon the evidence.

As I’ve pointed out before a US politician flapped their gums, without any evidence, it was obvious they had no evidence and the industry did not conspire with them this time. As for the rest of the paid from the public purse establishment, they supported the idiot politician, which legaly makes them all liers, colabarators, conspiritors, or as stupid as the idiot politician, take your choice.

The truth of the mater is even after a month of technical investigation we still know very little or nothing about the “Who?, What?, Why?” questions, which are rather more important than the “shutting the stable door after the horse has bolted” technical results. OK it will be a fifth task of Hercules effort to clean up the mess, but whilst you are shoveling the crap out the door it would be more important to know who to lookfor trying to come back in the front door, to crap all over the place again.

Much of what I see is Microsoft trying to sell it’s defender product… But ask yourself a question, what privileges dors it require on each and every machine, and what would happen if these unknown attackers had got at Microsots products?

You don’t want to be letting a snake in to get rid of a rat.

Which is exactly how this whole problem started in the first place…

But I still want to know who put the “bug-door” in and from whom the direction came, I suspect that certain people will have egg all over their face if that comes out.

Who subsequently found it then used it is of less interest to me as my personal systems have been mitigated from such attacks, by solid more easily verified techniques originaly developed half a century ago and steadily improved down the decades.

Not being nasty but more than three decades ago people were saying perimeter defence by firewall was not a very good idea, because once inside the firewall life is relatively easy.

It’s the “elephant in the room” issue as to why Phishing Attacks and drive by on BYOD smart devices have moved to the top of the attack of choice lists, as you in effect you “invite the attackers through your door to walk around and take what they want”.

As a result it’s also time to drop those “Top Ten Best Practice” articles they are rarely supported by science and in effect prove that,

1, It’s a target rich environment.
2, Some targets are not as attractive as others.
3, Most are actually attacked on the equivalent of a random throw of the dice.

So not what those who rent out high priced security systems realy want you hearing…

Clive Robinson February 3, 2021 12:10 PM

@ OneAnonTechie,

I am not aware of any automated system which can detect hacked code all the time.

You never will become aware of one that does, and if somebody tells you they’ve got one just show them the door.

Before electronic computers existed back in the 1930’s Alan Turing and Alonzo Church both showed “The halting problem” could NOT be solved.

Likewise in the same time period Kurt Gödel published a couple of papers on issues to do with logic systems that under pin systems like mathmatics, but also computers.

They both tell you the same thing, there is no way you can have an automated system to 100% detect bad behaviour / code, let alone malicious code. Nor can you have a computer check it’s self so AV and other detection systems can not ever be 100%.

And if you think about the single Turing Engine that most computers are at heart,

1, They only tell you what they are programed to tell you.
2, An attacker can change any location in memory they like so can get the comouter to say good is bad and bad is good or anything in between under rule 1.
3, If you ask the computer to check it’s memory see rule 2 it will tell you what it’s been told to tell you by rule 1.

I could go on, and I have done on this blog in the past at some length.

The point is if there was the worst possible way to go about things when it comes to detecting malicious behaviour, the way we do it now must be fairly close to it.

SpaceLifeForm February 3, 2021 10:47 PM

@ Ken Thompson

Totally agree.

There are some more flaws found with SolarWinds software that need to be patched by 2021-02-09. Yes, in less than one week. Then PoCs will be released.

The FTP one is mind-bogglingly stupid.

If SolarWinds was eating their own dogfood, that would be the exploit to use. Braindead stupid.

hx tps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/

SolarWinds Serv-U FTP Vulnerability (CVE-2021-25276) – FTP Server: Let Me Add an Admin User for Myself

Finally, I took a quick look at another SolarWinds product called Serv-U FTP for Windows. It turns out that the accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.

ResearcherZero February 7, 2021 1:42 PM

That’s how Office 365 and Azure AD is designed to work, the Service Principal is the security object that can actually have privileges in the Azure Directory. Assign a certificate to a service principal and then log in as that service principal.
hxxps://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

ResearcherZero February 8, 2021 9:51 AM

There are similarities with Kazuar which may hint at it’s development.

Epic Turla has similar sophisticated multi-stage infection. Epic Turla is used to gain a foothold and validate high profile victims. If the victim is interesting, they get upgraded to the Turla Carbon system.

“Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the backdoors.

Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms.”
htxxps://securelist.com/the-epic-turla-operation/65545/

Highly complex espionage software with Russian roots
hxxps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082353/GData_Uroburos_RedPaper_EN_v1.pdf

“This malware shares some similarities with “Uroburos” [3], a rootkit used by the same group. The most relevant resemblance is the communication framework. Indeed, both of them provide communication channels between different malware components. The communication objects are implemented in the same way, the structures and vtables look identical except that there are fewer communication channels provided in Carbon. Indeed, Carbon might be a “lite” version of Uroburos (without kernel components and without exploits).”
htxxs://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

“Accenture researchers recently identified novel command and control (C&C) configurations for Turla’s Carbon and Kazuar backdoors on the same victim network.

HyperStack, first observed in 2018, is one of several RPC backdoors Turla uses.

Based on references to the internal C&C node, the October sample likely acts as a transfer agent used to proxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network via an internet-facing shared network location. This set-up allows Turla operators to communicate with Kazuar-infected machines in the victim network that are not accessible remotely.

Another recently analyzed sample of Kazuar from the same victim network had a traditional C&C implementation where the implant communicates directly with a C&C server located outside the victim network. The C&C URLs correspond to compromised legitimate websites for Turla to proxy commands and exfiltrate data to Turla backend infrastructure.

The HyperStack backdoor first copies itself to C:\ADSchemeIntegrity.exe and then installs itself with system-level privileges as the service Active Directory Scheme Integrity Service.

A sample identified in September 2020 has updated functionality which appears to be inspired the RPC backdoors previously publicly disclosed by ESET and Symantec Researchers as well as with the Carbon backdoor. Based on these similarities, we assess with high confidence that HyperStack is a custom Turla backdoor.”
hxxps://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.