Advisory	Adversarial Intelligence
Threat Actor	UNC2452 [campaign tracker]
Vector	Supply Chain
Vendor	SolarWinds

A sophisticated threat actor dubbed UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management System. They planted a backdoor [Sunburst] specifically in DynamicLinkedLibrary named SolarWinds.Orion.Core.BusinessLayer.dll, loaded by following .NET executables [based on system configuration]:

• SolarWinds.BusinessLayerHost.exe
• SolarWinds.BusinessLayerHostx64.exe.

This new campaign uses a “memory-only” dropper named TEARDROP to deploy a modified Cobalt Strike Beacon onto the victim for command and control (C2).

The trojanized component is available for download as a part of the following legitimate update:

hxxp://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

Command & Control (C2)

C2 communications are safely embedded as part of SolarWinds communication protocol called Orion Improvement Program Protocol, to evade security and as part of operational security. The domain used for C2 is avsvmcloud.com

A Domain Generation Algorithm is used to construct and resolve the subdomain of avsvmcloud.com The malware kills security and forensic services running on the target system, using a block list. The block list contains a list of services linked to AV/EDR/XDR vendors and other forensics related tools. 

The payload connects to the C2 server after connection to the domain api.solarwinds.com is established. The subdomains are linked together with one of the following domains to create hostname to resolve:

• .appsync-api.eu-west-1[.]avsvmcloud[.]com
• .appsync-api.us-west-2[.]avsvmcloud[.]com
• .appsync-api.us-east-1[.]avsvmcloud[.]com
• .appsync-api.us-east-2[.]avsvmcloud[.]com

MITRE Techniques & Tactics

Technique	Tactics
Resource Development	T1584	Compromise Infrastructure
Initial Access	T1195.002	Compromise Software Supply Chain
Execution	T1569.002	Service Execution
Persistence/Privilege Escalation	T1543.003	Windows Service
Defense Evasion	T1027	Obfuscated Files or Information
	T1070.004	File Deletion
	T1553.002	Code Signing
Discovery	T1012	Query Registry
	T1057	Process Discovery
	T1083	File and Directory Discovery
	T1518	Software Discovery
	T1518.001	Security Software Discovery
Command and Control	T1071.001	Web Protocols
	T1071.004	Application Layer Protocol: DNS
	T1105	Ingress Tool Transfer
	T1132.001	Standard Encoding
	T1568.002	Domain Generation Algorithms

 

Impact

Technical Impact

• Renders security systems useless
• Compromise network domain
• Fully undetectable persistence on the victim 

Business Impact 

• Compromises user data and privacy
• Loss of reputation and goodwill
• Loss of share value
• Compliance violations and fine
• Legal actions from the clients

Indicators of Compromise

Hashes/ SHA256

• d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
• 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 
• 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
• ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
• 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
• 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 
• C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

IP

• 13.59.205.66 
• 54.193.127.66 
• 54.215.192.52 
• 34.203.203.23 
• 139.99.115.204 
• 5.252.177.25
• 5.252.177.21
• 204.188.205.176
• 51.89.125.18
• 167.114.213.199

Mitigation

• Contain/ isolate SolarWinds servers for further investigation
• Restrict internet egress from servers or endpoints that are SolarWinds servers
• Supervision of privileged account on SolarWind servers
• Effective rules for detection are provided in the link below:

https://github.com/fireeye/sunburst_countermeasures