Sunburst Backdoor Detection: Solarwinds Supply Chain Attack on FireEye and US Agencies

Author
Recent Posts

Eugene Tkachenko

Latest posts by Eugene Tkachenko (see all)

LAPSUS$ Digital Extortion Gang Claims Microsoft’s Data Leak: Breach Affected Okta Customers - 23.03.2022
NIGHT SPIDER Zloader Detection: Defend Against Malicious Trojan Activity with SOC Prime - 17.03.2022
Detect Emotet Activity: Infamous Malware Resurfaced to Target Systems Worldwide - 16.03.2022

WRITTEN BY

Eugene Tkachenko

[post-views]

December 14, 2020 · 3 min read

Just a few days after the information about the FireEye data breach appeared, the company published the results of its investigation and details of the Sunburst backdoor (including the technical report and countermeasures), through which the APT group penetrated networks of multiple organizations, and now potentially compromised companies can quickly detect this threat. The scale of the supply chain attack detected is truly impressive: the state-sponsored group compromised SolarWinds Inc. and trojanized updates to Orion IT software that is used by the US military and Government agencies, as well as by 425+ of the US Fortune 500. Adversaries digitally signed the updates and posted them to the SolarWinds updates website during this spring, which left a huge number of companies around the world compromised (SolarWinds’ products are used by 300k+ customers worldwide).

CISA released Emergency Directive to Mitigate the Compromise of the SolarWinds Orion Network Management Products warning about the potential threat imposed by using the SolarWinds Orion products to networks of numerous organizations within public and private sectors.

Sunburst Backdoor Analysis and Detection Content

The Sunburst backdoor hides in SolarWinds.Orion.Core.BusinessLayer.dll. After getting into the system, the backdoor waits for up to two weeks and only then starts its harmful activity. The backdoor is capable of transferring and executing files, profiling the system, disabling system services, and rebooting the machine. The Sunburst backdoor utilizes the Orion Improvement Program protocol and saves collected data to legitimate plugin configuration files, making it extremely difficult to detect malware activity on an organization’s network.

Our SOC Prime Team and in collaboration with Threat Bounty Program developers released Sigma rules based on Sunburst Countermeasures that were published by FireEye on GitHub to detect the Sunburst backdoor and tools related to this attack. The article and the list of rules will be updated. Follow our blog and check out Threat Detection Marketplace for the latest rules for Sunburst backdoor and related threats detection to stay current.

Here’s the list of rules that are currently available:

AD – ADFS DKM Master Key Export (via sysmon)

AzureAD – Security Token Service (STS) Refresh Token Modifications

AD – ADFS DKM Master Key Export (vis security events)

AzureAD – User added to Azure Active Directory Privileged Groups

Dark Halo[UNC2452] Threat Actor Activity Detector

SolarWinds Supply Chain Attack Detector

AzureAD – Adding Permission and Role Assignment for Mail Reading All Mailboxes

AzureAD – Modified Domain Federation Trust Detection

AzureAD – Application Modified to Allow Multi-Tenant Access

Solarwinds Launching Powershell With Base64 Encoding (via cmdline)

Solarwinds launching cmd.exe with echo (via cmdline)

ADFS Adapter Process Spawns (via cmdline)

CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline)

Renamed ADFind (via cmdline)

Suspicious Backup Service Stoppage (via cmdline)

AWS VPC Setting Importance Change Detected

SolarWinds Solarigate Detected (via name pipe)

Solarwinds backdoor C2 host name detected. (via SSL)

Detects possible DarkHalo APT activity (SunBurst BackDoor Operators) via 7Zip archive creation for data exfiltration

FireEye Red Team Tool Hash Detected

AndrewSpecial Hacktool Detected

KeeFarce HackTool Detected

Possible Dark Halo Exchange Reconnaissance Activity (via cmdline)

Solarwinds backdoor C2 host name detected. (via DNS)

Solarwinds backdoor C2 host name detected. (via Proxy)

Possible SUNBURST activity

Possible SuperNova Webshell (via web)

Potential Solarwinds Mimicking (via proxy)

Unusual SolarWinds File Creation (via filewrite)

Unusual SolarWinds Child Process (via cmdline)

Possible get-passhashes / powerdump usage (via powershell)

SolarWinds Supply Side Compromise Indicator (via imageload)

Was this article helpful?

Like and share it with your peers.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free Book a Meeting