Sunburst Backdoor Detection: Solarwinds Supply Chain Attack on FireEye and US Agencies

Just a few days after the information about the FireEye data breach appeared, the company published the results of its investigation and details of the Sunburst backdoor (including the technical report and countermeasures), through which the APT group penetrated networks of multiple organizations, and now potentially compromised companies can quickly detect this threat. The scale of the supply chain attack detected is truly impressive: the state-sponsored group compromised SolarWinds Inc. and trojanized updates to Orion IT software that is used by the US military and Government agencies, as well as by 425+ of the US Fortune 500. Adversaries digitally signed the updates and posted them to the SolarWinds updates website during this spring, which left a huge number of companies around the world compromised (SolarWinds’ products are used by 300k+ customers worldwide).

CISA released Emergency Directive to Mitigate the Compromise of the SolarWinds Orion Network Management Products warning about the potential threat imposed by using the SolarWinds Orion products to networks of numerous organizations within public and private sectors.

Sunburst Backdoor Analysis and Detection Content

The Sunburst backdoor hides in SolarWinds.Orion.Core.BusinessLayer.dll. After getting into the system, the backdoor waits for up to two weeks and only then starts its harmful activity. The backdoor is capable of transferring and executing files, profiling the system, disabling system services, and rebooting the machine. The Sunburst backdoor utilizes the Orion Improvement Program protocol and saves collected data to legitimate plugin configuration files, making it extremely difficult to detect malware activity on an organization’s network.

Our SOC Prime Team and in collaboration with  Threat Bounty Program developers released Sigma rules based on Sunburst Countermeasures that were published by FireEye on GitHub to detect the  Sunburst backdoor and tools related to this attack. The article and the list of rules will be updated. Follow our blog and check out Threat Detection Marketplace for the latest rules for Sunburst backdoor and related threats detection to stay current. 

Here’s the list of rules that are currently available:

AD – ADFS DKM Master Key Export (via sysmon)

AzureAD – Security Token Service (STS) Refresh Token Modifications

AD – ADFS DKM Master Key Export (vis security events)

AzureAD – User added to Azure Active Directory Privileged Groups

Dark Halo[UNC2452] Threat Actor Activity Detector

SolarWinds Supply Chain Attack Detector

AzureAD – Adding Permission and Role Assignment for Mail Reading All Mailboxes

AzureAD – Modified Domain Federation Trust Detection

AzureAD – Application Modified to Allow Multi-Tenant Access

Solarwinds Launching Powershell With Base64 Encoding (via cmdline)

Solarwinds launching cmd.exe with echo (via cmdline)

ADFS Adapter Process Spawns (via cmdline)

CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline)

Renamed ADFind (via cmdline)

Suspicious Backup Service Stoppage (via cmdline)

AWS VPC Setting Importance Change Detected

SolarWinds Solarigate Detected (via name pipe)
Solarwinds backdoor C2 host name detected. (via SSL)

Detects possible DarkHalo APT activity (SunBurst BackDoor Operators) via 7Zip archive creation for data exfiltration

FireEye Red Team Tool Hash Detected

AndrewSpecial Hacktool Detected

KeeFarce HackTool Detected

Possible Dark Halo Exchange Reconnaissance Activity (via cmdline)

Solarwinds backdoor C2 host name detected. (via DNS)