In this post, we will summarize news on the SolarWinds hack from FireEye’s perspective.

Dec 8, 2020 1, 2

  • Announced breach, including theft of red-team tools
  • (Most) red-team tools were previously released as open-source
  • Tools did not include any zero-day vulnerabilities
  • Released rules (signatures) to the public that detect the attack’s components
  • Announced ongoing cooperation with Microsoft
  • Indicated that attackers were after information on FireEye’s government customers
  • Asserted that the attackers were state-sponsored, sophisticated and well-resourced

Dec 13, 2020 3, 4

  • Named attackers as UNC2452
  • Named SolarWinds’ Orion product as the carrier for the “supply chain” attack
  • Named the carried malware (previously unseen) as SUNBURST
  • Named another (previously unseen) component as TEARDROP - a memory-only dropper
  • Recognized yet another malware component (app_web_logoimagehandler.ashx.b6031896.dll) but did not refer to this component by name in the blog posts
    • SUPERNOVA is listed in the published IOC list 5
    • SUPERNOVA was eventually found to be unrelated to SUNBURST 6
    • A report from Palo Alto Networks 7 on Dec 17 also calls this component SUPERNOVA
    • An undated report from Guidepoint Security also refers to the malware dll as SUPERNOVA
    • Bleeping Computer refers to Palo Alto and Guidepoint reports above on Dec 21 8 when using the term SUPERNOVA
    • Only a small number of Orion installations are found to have SUPERNOVA; however this may have been because a different nation state actor used the time between Dec 8 and Dec 13 to remove traces of SUPERNOVA 9
  • Recognized yet another malware component (powershell script) called COSMICGALE but did not refer to this component by name in the blog posts
    • COSMICGALE is listed in the published IOC list 5
    • COSMICGALE was eventually found to be unrelated to SUNBURST 6 (Feb 3, 2021) by SANS
    • However, other analysts 10 (Jan 25, 2021) claim that COSMICGALE was used by UNC2452 to wipe logs from compromised systems
  • Stated that attacker’s used a modified Cobalt Strike beacon
  • Released updated signatures to detect attacks based on improved understanding
  • Provide several details on the internals of SUNBURST, TEARDROP, and Cobalt Stike beaconing
  • Indicated that attack campaign may have started as early as Spring 2020
  • Announced cooperation with SolarWinds and FBI

Dec 17, 2020 11

  • Provided an explanation of the UNC designation
  • Explained FireEye’s attribution process

Dec 18, 2020 12

  • Announced that Mandiant Advantage threat intelligence feed includes information on UNC2452, SUNBURST, Tear Drop, and Cobalt Strike beaconing

Dec 24, 2020 13

  • Provided additional details on SUNBURST’s mechanisms to evade detection; included further information about SUNBURST internals
  • Announced work with Go Daddy and Microsoft to take over one of the DNS domains used by SUNBURST to “sinkhole” command-and-control traffic

Jan 12, 2021 14

  • Indicated that SUPERNOVA was not related to UNC2452 (although SUPERNOVA does affect SolarWinds Orion)

Jan 19, 2021 15, 16, 17

  • Documented methods used by UNC2452 to move from on-premise compromise via SUNBURST to Mircrosoft Cloud (Azure)
  • Provided details to implement a post-compromise remediation strategy across on-premises network and Microsoft cloud
  • Released PowerShell script to audit Microsoft Cloud deployment for IOCs

Feb 23, 2021 18

  • Indicated that almost 100 experienced people were involved in investigating the SolarWinds Orion based breach at FireEye
  • Claimed that UNC2452 has been on a multi-decade campaign to infiltrate assets in the US
  • Declared that the malware used by UNC2452 had the ability to shutdown upto 50 endpoint security agents; it is unclear if this ability was in SUNBURST or some other malware used in the attack
  • Advocated for mandatory information sharing on discovering unauthorized intrusions to a central government agency and for separating such reporting from breach disclosures (that carry additional investigation and liability concerns)

Mar 4, 2021 19

  • Announced a new second-stage backdoor - SUNSHUTTLE - found in some organizations compromised by UNC2452; as per 20, SUNSHUTTLE was first discovered in Aug 2020 (also see 21)
  • Linked SUNSHUTTLE to UNC2452, but left room for re-evaluation

References

  1. https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html 

  2. https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html 

  3. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html 

  4. https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html 

  5. https://github.com/fireeye/sunburst_countermeasures/blob/main/signature_table_of_contents.csv  2

  6. https://www.youtube.com/watch?v=4X7CDAOPtIs&t=278s  2

  7. https://unit42.paloaltonetworks.com/solarstorm-supernova/ 

  8. https://www.bleepingcomputer.com/news/security/new-supernova-backdoor-found-in-solarwinds-cyberattack-analysis/ 

  9. https://www.sans.org/webcast/recording/citrix/118640/360305 

  10. https://threatpost.com/breaking-down-joe-bidens-10b-cybersecurity-down-payment/163304/ 

  11. https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html 

  12. https://www.fireeye.com/blog/products-and-services/2020/12/direct-access-to-threat-intelligence-with-mandiant-advantage.html 

  13. https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html 

  14. https://www.brighttalk.com/webcast/7451/462719 

  15. https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html 

  16. https://github.com/fireeye/Mandiant-Azure-AD-Investigator 

  17. https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf 

  18. https://www.youtube.com/watch?v=IPozXgMqMag 

  19. https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html 

  20. https://krebsonsecurity.com/2021/04/did-someone-at-the-commerce-dept-find-a-solarwinds-backdoor-in-aug-2020/ 

  21. https://r-dube.github.io/solarwinds/2021/01/10/federal-agencies.html