UNC2452 Threat Actor Group Threat Intel Advisory

Advisory	Adversarial Intelligence
Threat Actor	UNC2452
Vector	Supply Chain
Vendor	SolarWinds

A sophisticated threat actor dubbed UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management System. They planted a backdoor specifically in DynamicLinkedLibrary named SolarWinds.Orion.Core.BusinessLayer.dll, loaded by following .NET executables [based on system configuration]:

SolarWinds.BusinessLayerHost.exe
SolarWinds.BusinessLayerHostx64.exe.

This new campaign uses a “memory-only” dropper named TEARDROP to deploy a modified Cobalt Strike Beacon onto the victim for command and control (C2). The trojanized component is available for download as a part of the following legitimate update: hxxp://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

Command & Control (C2)

C2 communications are safely embedded as part of SolarWinds communication protocol called Orion Improvement Program Protocol, to evade security and as part of operational security. The domain used for C2 is avsvmcloud.com A Domain Generation Algorithm is used to construct and resolve the subdomain of avsvmcloud.com The malware kills security and forensic services running on the target system, using a block list. The block list contains a list of services linked to AV/EDR/XDR vendors and other forensics related tools. The payload connects to the C2 server after connection to the domain api.solarwinds.com is established. The subdomains are linked together with one of the following domains to create hostname to resolve:

.appsync-api.eu-west-1[.]avsvmcloud[.]com
.appsync-api.us-west-2[.]avsvmcloud[.]com
.appsync-api.us-east-1[.]avsvmcloud[.]com
.appsync-api.us-east-2[.]avsvmcloud[.]com

MITRE Techniques & Tactics

Technique	Tactics
Resource Development	T1584	Compromise Infrastructure
Initial Access	T1195.002	Compromise Software Supply Chain
Execution	T1569.002	Service Execution
Persistence/Privilege Escalation	T1543.003	Windows Service
Defense Evasion	T1027	Obfuscated Files or Information
	T1070.004	File Deletion
	T1553.002	Code Signing
Discovery	T1012	Query Registry
	T1057	Process Discovery
	T1083	File and Directory Discovery
	T1518	Software Discovery
	T1518.001	Security Software Discovery
Command and Control	T1071.001	Web Protocols
	T1071.004	Application Layer Protocol: DNS
	T1105	Ingress Tool Transfer
	T1132.001	Standard Encoding
	T1568.002	Domain Generation Algorithms

Impact

Technical Impact

Renders security systems useless
Compromise network domain
Fully undetectable persistence on the victim

Business Impact

Compromises user data and privacy
Loss of reputation and goodwill
Loss of share value
Compliance violations and fine
Legal actions from the clients

Indicators of Compromise

Hashes/ SHA256

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

IP

13.59.205.66
54.193.127.66
54.215.192.52
34.203.203.23
139.99.115.204
5.252.177.25
5.252.177.21
204.188.205.176
51.89.125.18
167.114.213.199

Mitigation

Contain/ isolate SolarWinds servers for further investigation
Restrict internet egress from servers or endpoints that are SolarWinds servers
Supervision of privileged account on SolarWind servers
Effective rules for detection are provided in the link below:

https://github.com/fireeye/sunburst_countermeasures