Try   HackMD

SUNBURST / Solorigate Writeups & Major Points

Bit's and bytes yet left to document here
  • Volexity post on SAML golden ticket
  • Microsoft's view on the matter

Timeline

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
(Source: A Timeline Perspective of the SolarStorm Supply-Chain Attack)

TTP Overview

Detection

References & Publications

08/12/2020

FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community

Recently, Fireeye was attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead Fireeye to believe it was a state-sponsored attack. Fireeye's number one priority is working to strengthen the security of Fireeye customers and the broader community. Fireeye hopes that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber attacks. During this attack Fireeye's red team tools were stolen.

To empower the community to detect these tools, Fireeye are publishes countermeasures to help organizations identify these tools if they appear in the wild. In response to the theft of Fireeye's Red Team tools, Fireeye have released hundreds of countermeasures for publicly available technologies like OpenIOC, Yara, Snort, and ClamAV.

FireEye Red Team Tool Countermeasures

09/12/2020

Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools

“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers” << this is the critical sentence. “Primarily sought information related to certain government customers”. Not “primarily sought hacking tools

thaddeus e. grugq (@thegrugq)

13/12/2020

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

tags: detection ttp

Worth reading atleast for the solid detection advice - which can be generally applicable.

Main Takeaways

  • FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware.
  • Actor tracked as UNC2452/DarkHalo.
  • Employed malware is tracked as SUNBURN/Solorigate.
  • This campaign may have begun as early as Spring 2020 (starting at least from March 2020).
  • IOCs are available at SunBurst Countermeasures and developments (including additional IOCs) can be tracked at OTX

  • Fireeye SUNBURST Report After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

    • 12-14 Days dwell time (checked on execution - by comparing current time to the filesystem write time).
    • Command and control traffic masquerades as the legitimate Orion Improvement Program
    • Code hides in plain site by using fake variable names and tying into legitimate components
    • Tries to resolve api.solarwinds.com to test the network for connectivity.
  • Co-occurs with COSMICGALE and SUPERNOVA malwares, but yet to be proven conected to them.
  • The attackers deployed a previously unseen memory-only dropper Fireeye dubbed TEARDROP to deploy Cobalt Strike BEACON.
  • The actor sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.

    Fireeye SUNBURST Report The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders querying internet-wide scan data sources for an organization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note: IP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment. There is likely to be a single account per IP address.

    • DGA encoded machine domain name, used to selectively target victims
    • A userID is generated by computing the MD5 of a network interface MAC address that is up and not a loopback device, the domain name, and the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid.
    • Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name.

      Fireeye SUNBURST Report Records within the following ranges will terminate the malware and update the configuration key ReportWatcherRetry to a value that prevents further execution:

      • 10.0.0.0/8
      • 172.16.0.0/12
      • 192.168.0.0/16
      • 224.0.0.0/3
      • fc00:: - fe00::
      • fec0:: - ffc0::
      • ff00:: - ff00::
      • 20.140.0.0/15
      • 96.31.172.0/24
      • 131.228.12.0/22
      • 144.86.226.0/24
  • The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.
  • The attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials.

    Fireeye SUNBURST Report The credentials used for lateral movement were always different from those used for remote access.

  • Fireeye SUNBURST Report The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration. They routinely removed their tools, including removing backdoors once legitimate remote access was achieved.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Fireeye SUNBURST Report This campaign’s post compromise activity was conducted with a high regard for operational security, in many cases leveraging dedicated infrastructure per intrusion. This is some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust.

14/12/2020

tags: detection

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
A really nice overview from Nick Carr, including some solid, and less talked about, detection advice.

So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here: https://fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

But then what?? Let’s talk about some post-compromise techniques

Nick Carr (@ItsReallyNick)

tags: pdns intel

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
A twitter post by Brian Krebs, alleging, based on PDNS data that the SUNBURST backdoor was first deployed on 22/03/2020 at the earliset.

Researchers at @oscontext say the first traffic they saw to the malware controllers in the SolarWinds infrastructure was on 4/4/2020. Fireeye said the malware was config'd to sleep for 2 weeks post-install. Suggests first targets were hit sometime in March

Brain Krebs (@briankrebs)

15/12/2020

Microsoft and industry partners seize key domain used in SolarWinds hack

tags: mitigation

Catalin Cimpanu An overview of a protective action taken by Microsoft & FireEye to sieze the domain used by SUNBURN to create a killswitch & a sinkhole.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

16/12/2020

tags: pdns intel

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
QiAnXin Technology published a way to decode the SUNBURST DGA sub-domains, thus creating a probable victim list (or at least a partial list of domains SUNBURST was deployed to).

By decoding the #DGA domain names, we discovered nearly a hundred domains suspected to be attacked by #UNC2452 #SolarWinds, including universities, governments and high tech companies such as @Intel and @Cisco. Visit our github project to get the script.

https://github.com/RedDrip7/SunBurst_DGA_Decode RedDrip Team (@RedDrip7)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Full decoded list

https://intelx.io/?did=68ef7949-8ebd-4cfb-98ad-7eda25f26cc5
(Based on DGA sub-domains gathered by bambenek, based on Open-Source Context & Farsight. And some important notes on how this list was generated [and the limits of PDNS])

tags: ttp

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
A Twitter thread by Checkpoint's Itay Cohen - highlighting some more OPSEC aspects of SUNBURN, this time describing their approach to avoid the SolarWinds network itself.

The attackers behind the #SUNBURST malware put a lot of effort into trying to avoid detection by analysts and security vendors. Not only this, but they also tried to make sure to stay under the radar of #SolarWinds developers and employees. A thread >> Itay Cohen (@megabeets_)

SunBurst: the next level of stealth

tags: ttp

Tomislav Peričin ReversingLabs' research into the anatomy of this supply chain attack unveiled conclusive details showing that Orion software build and code signing infrastructure was compromised. The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed and delivered through the existing software patch release management system.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Analysis of metadata (especially timestamps) & decompiled code for various versions of SolarWinds.Orion.Core.BusinessLayer.dll to forensically support the claim that Orion software build and code signing infrastructure was compromised, and source code was directly modified to include the malicious backdoor.

18/12/2020

Hackers last year conducted a 'dry run' of SolarWinds breach

tags: intel

Kim Zetter Some additional details about the SolarWinds breach time line and the way the FireEye breach was discovered.

Main Takeaways

  • The SolarWinds compromise -
    • Probaly started mid-2019 at the latest
    • Test run of backdooring capability during October 2019
  • The breach of FireEye's systems was discovered after the hackers enrolled a device into FireEye’s multifactor authentication system, which FireEye employees use to remotely sign into the company’s VPN.

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

Microsoft 365 Defender Research Team Microsot's investigation into the SUNBURST basckdoored DLL

Main Takeaways

  • Read the article & extarct main takeaways

Sunburst: connecting the dots in the DNS requests

tags: intel pdns

Igor Kuznetsov, Costin Raiu - Kaspresky GReAT Knowing that the DNS requests generated by Sunburst encode some of the target’s information, the obvious next step would be to extract that information to find out who the victims are!

Main Takeaways

  • In depth discussion of the various way to decode SUNBURST DGA subdomain

    A script do decode SUNBUSRT DGA domains released to GitHub by Igor Kuznetsov.

  • A method to get probable 2nd-stage victims identities by using UID decoded from the 1st-stage DGA domains, with decoded 2nd-stage DGA domains.
  • Rare public statement on the [lack of ] forensic evidence that allow attribution to APT29/Cozy Bear.
  • Some statements in relation to why the detection of SUNBURST was so hard
    • The slow communication method [].
    • The other one is the lack of x86 shellcode;
    • [] there was no significant change in the file size of the module when the malicious code was added= [].

23/12/2020

A Timeline Perspective of the SolarStorm Supply-Chain Attack

tags:

[name=]

Main Takeaways

  • Read the article & extarct main takeaways
Last changed by 
Michael Genkin
An opinionated geek. Willing to embrace chaos. A jack of many trades, a master of some.
0
666

Read more

Cloud Security Engineer Learning Path

AZ-500 Courses :::spoiler :::info Pluralsight - Microsoft Azure Security Technologies (AZ-500):exclamation: Please Note that some courses appear as "Comming Soon" in the path page, but actually are already available on the site and can be accessed by using search. Udemy - AZ-500: Microsoft Azure Security Technologies Microsoft Learn:exclamation: Please Note that this document is based in part on the learning paths listed below. The links for the path themselves are provided for completeness sake, but it&apos;s recommended to complete the different Microsoft Learn modules that are a part of the below paths in the order outlined here:::spoiler Learning PathsThreat Modeling Security Fundamentals Manage identity and access in Azure Active Directory Implement resource management security in Azure Implement network security in Azure

Dec 14, 2023
Secure Development Workshop Notes

[TOC] SDLC Overview Threat Modelling Introduction to Microsoft&#xAE; Security Development Lifecycle (SDL) Threat Modeling {%pdf https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf %} {%slideshare AdamEnglander/threat-modeling-for-dummies-cascadia-php-2018 %}

Jun 26, 2021
COVID-19 Virtual Conferences & Webinars

In addition to causing a massive movement of the work force to working from, the social-distancing meausures required to flatten the curve are also forcing multiple infosec conferences to go all virtual, and cause a boom of webinars. This note will try to list as many of them as possible - in order to promote and make this great form of infosec education accessible.

Oct 2, 2020
Threat Hunting

[TOC] OSINT & Recon Attack infrastructure is often easy to identify, appearing like a shell of a legitimate server thus we will need to take additional steps with our infrastructure to increase the likelihood of blending in with real servers, and keep our adversaries (incident responders & blue teams) away - or face the consequences of burned infrastructure (as the following Twit demonstrates). [name=Remco Verhoef (@remco_verhoef)] [time=March 12, 2019] Powershell Empire http(s) listeners have unique signature, can be used to search on @censysio. Using \n newlines instead of \r\n, returning 200 instead of 404 and append extra spaces for non-existing urls. List of found servers added to gist. Redteaming? https://gist.github.com/nl5887/230e10909c8369b9586db76f0b12a400 https://pic.twitter.com/t1eEdufNKt In order to make our steps at obscuring our infrastructure as efficient as possible - a through understanding of the tools incident responders use while hunting for red team infrastructure is required. In the following sections - we&apos;ll cover various such methods, datasets commonly used and go over some additional premiers of when failing to properly obscure one infrastructure let to the burning of the infrastrucre (or even the whole operation).

Sep 29, 2020
Read more from Michael Genkin
Published on HackMD