About 18,000 organizations around the world downloaded network management tools that contained a backdoor that a nation state used to install malware that stole sensitive data, the tools provider, SolarWinds, said on Monday.
The disclosure from Austin, Texas-based SolarWinds, came a day after the US government revealed a major security breach hitting federal agencies and private companies. The US Departments of Treasury, Commerce, and Homeland Security departments were among the federal agencies on the receiving end of hacks that gave access to email and other sensitive resources. Federal agencies using the software were instructed on Sunday to disconnect systems that run the software and perform a forensic analysis of their networks.
Security firm FireEye, which last week disclosed a serious breach of its own network, said that hackers backed by a nation state compromised a SolarWinds software update mechanism and then used it to infect selected customers who installed a backdoored version of the company’s Orion network management tool.
The backdoor infected customers who installed an update from March to June of this year, SolarWinds said in a document filed on Monday with the Securities and Exchange Commission. SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000.
Stealing the master keys
Several factors made Orion an ideal stepping stone into networks coveted by Russia-backed hackers, who over the past decade have become one of the most formidable threats to US cyber security. Mike Chapple, a teaching professor of IT, Analytics, and Operations at the University of Notre Dame, said the tool is widely used to manage routers, switches, and other network devices inside large organizations. The level of privileged access coupled with the number of networks exposed made Orion the perfect tool for the hackers to exploit.
“SolarWinds by its nature has very privileged access to other parts of your infrastructure,” Chapple, a former computer scientist at the National Security Agency, said in an interview. “You can think of SolarWinds as having the master keys to your network, and if you’re able to compromise that type of tool you’re able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.”
The hacks are part of what the federal government and officials from FireEye, Microsoft, and other private companies said was a widespread espionage campaign that a sophisticated threat actor was carrying out through a supply chain attack.
In blog post FireEye published Sunday night, the company said it uncovered a global intrusion campaign that used the backdoored SolarWinds’ update mechanism as an initial entryway “into the networks of public and private organizations through the software supply chain.” Publications—including The Washington Post and The New York Times—cited unnamed government officials saying Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service (FSB) was behind the compromises.
“Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations,” FireEye officials wrote. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.”
In a separate post also published Sunday night, FireEye added: “FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
FireEye went on to say that a digitally signed component of the Orion framework contained a backdoor that communications with hacker-controlled servers. The backdoor, planted in the Windows dynamic link library file SolarWinds.Orion.Core.BusinessLayer.dll, was written to remain stealthy, both by remaining dormant for a couple weeks and then blend in with legitimate SolarWinds data traffic. FireEye researchers wrote:
The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page.
Burrowing in further
The Orion backdoor, which FireEye is calling Sunburst and Microsoft calls Solorigate, gave the hackers the limited but crucial access to internal network devices. The hackers then used other techniques to burrow further. According to Microsoft, the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.
Microsoft’s advisory stated:
- An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory.
- An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
- Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
- Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
Supply chain attacks are among the hardest to counter because they rely on software that’s already trusted and widely distributed. SolarWinds Monday-morning filing suggests that Cozy Bear hackers had the ability to infect the networks about 18,000 of the company’s customers. It’s not yet clear how many of those eligible users were actually hacked.
The Department of Homeland Security’s Cybersecurity Infrastructure and Infrastructure Security Agency has issued an emergency directive instructing federal agencies that use SolarWinds products to analyze their networks for signs of compromise. FireEye’s post here lists a variety of signatures and other indicators admins can use to detect infections.