SolarWinds Orion Supply Chain Attack
Detections in AT&T Unified Security Management™ and IoCs in the AT&T Alien Labs Open Threat Exchange™
December 16, 2020, 11:15am (CST)
Dear USM Customer,
The details of this campaign, adversary, and victims are evolving. The information contained in this alert is accurate at the time of publishing. AT&T Cybersecurity will continue to stay abreast of changes, and Alien Labs will continue to update its intelligence accordingly.
In the last week, several announcements have been made regarding increased activities from a sophisticated threat actor that is targeting government agencies, cybersecurity companies, and other high-profile companies globally. Microsoft and FireEye have reported that they consider the group (thus far dubbed UNC2452 by FireEye) to be nation-state sponsored. According to the U.S. Department of Homeland Security(DHS) Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 21-01, “SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems.”
FireEye gives additional details in their report, stating the actor accesses victims via a trojan embedded in the updates for SolarWind’s Orion IT monitoring and management software, which then delivers a backdoor malware named SUNBURST. In some cases, the malware delivers additional, previously unknown payloads. FireEye goes on to suggest the campaign may have started as early as March 2020.
The potential impact of this compromise is significant, considering Orion’s IT management and monitoring software is used by tens-of-thousands of public and private organizations globally. Already, victims are being reported in North America, Europe, the Middle East, and Asia, and FireEye states they anticipate additional victims across verticals and regions.
Related, FireEye announced in a blog published December 8, 2020, that a “highly sophisticated state-sponsored adversary stole its FireEye Red Team tools.” The company went on to say they believe the adversary is still in possession of the tools and FireEye does not know whether the group intends to use or publicly disclose them. A SecurityWeek article published Monday, Dec. 14, 2020, states that the FireEye breach involved the SolarWinds intrusion.
AT&T Alien Labs™ Threat Intelligence and Detections
The AT&T Alien Labs threat intelligence team has published in the AT&T Alien Labs Open Threat Exchange™ on the tactics, techniques, and procedures (TTPs) and IoCs relevant to the SolarWinds compromise and stolen FireEye Red Team tools, including the Yara signatures that FireEye has shared.
The team is updating network detections for these campaigns in the AT&T Unified Security Management™ (USM™) platform, including USM Anywhere™ and USM Appliance™, which is also the platform used for AT&T Managed Threat Detection and Response. Please reference the following pages for updating USM Appliance™ and updating USM Anywhere™. Threat intelligence updates to date include:
- Network IDS signatures shared by FireEye, which were published on Monday, Dec. 14, 2020.
- Yara signatures from FireEye are being tested as well, and they will be published the week of December 14, 2020. (These signatures have already been published in OTX.)
- New correlation rules based on the recently published information by Microsoft on the adversary TTP's related to Microsoft Azure Active Directory Domain Services.
- New correlation rule to detect a modified version of adfind.exe
- New correlation rule to detect Get-PassHashes in Powershell Logging events
- New correlation rule for Exploit Guard events
The Alien Labs team will continue to update detections in the USM platforms as these campaigns progress and new information is published by CISA and other leading security vendors.
If you are an AT&T Managed Threat Detection and Response (MTDR) customer who has questions about any of these detections, please reach out to your SOC team.
USM customers should visit AT&T Cybersecurity’s Success Center or visit the AT&T Cybersecurity Support page for contact information.
AT&T Alien Labs Customer Recommendations
Based on information that has been released, the activity of this threat actor has been potentially infecting systems since March 2020 (and perhaps longer, based on the infrastructure and domain registration). Therefore, Alien Labs recommends that customers take the following precautionary actions, at minimum, and for more information, customers should reference the CISA Emergency Directive 21-01.
AT&T Managed Threat Detection and Response customers should reach out to your SOC team immediately, if you have reason to believe your infrastructure is at risk, or has been compromised.
For USM customers:
- Isolate: If you are a SolarWinds Orion customer, Alien Labs highly recommends isolating the SolarWinds infrastructure and moving to incident response (IR) mode. If you need assistance with IR, reach out to AT&T Cybersecurity Consulting, which offers IR services, 1.866.599.1422.
- Investigate: In USM, search your systems for artifacts of the malware associated with the SolarWinds compromise and stolen FireEye Red Team tools, using IoCs associated with both and the Pulse ID search capability (example shown in figure 1).
Figure 1: USM showing a search using pulse_id.
- Monitor: Monitor you Microsoft Defender detections for Trojan:MSIL/Solorigate.B!dha
- Validate: If you suspect that your organizations has been compromised, validate by searching for SolarWinds.Orion.Core.BusinessLayer.dll and search with the Yara signature https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar and scan for the presence of C:\WINDOWS\SysWOW64\netsetupsvc.dll
As a final note, remember that this is an ongoing and developing situation, Alien Labs will continue to update its threat intelligence if needed and as we find additional, relevant information.
Updated IoCs in AT&T Alien Labs Open Threat Exchange™
Finally, you can find additional, shared threat intelligence on the AT&T Alien Labs Open Threat Exchange™. The community immediately began publishing information on these campaigns, including countermeasures and indicators of compromises (IoCs) in the portal. As of the publishing of this article, approximately 3,000 indicators and 250 pulses (instances of shared threat intelligence) have been published to the community on the FireEye breach. The community has also begun publishing on the SolarWinds intrusion campaign, including IoCs related to SUNBURST.
The Open Threat Exchange is among the largest, open threat-sharing communities in the world, with more than 140,000 members globally contributing threat intelligence information daily. Approximately one-third of the community downloads threat intelligence catalogued in OTX through the OTX DirectConnect API for use in their security platforms.
If you are not an AT&T Cybersecurity customer, you can still make use of OTX and the catalogued IoCs associated with these campaigns. Here’s how:
- Become an OTX member and download the IoCs catalogued in OTX to your threat detection and monitoring platform through the OTX DirectConnect API.
- Go threat hunting with OTXEndpoint Security™ , a free threat-scanning service in OTX that allows you to quickly identify malware and other threats by scanning for the presence of IoCs catalogued in OTX.
- Use OTX to submit suspicious files and URL for analysis by Alien Labs to quickly detect suspected malware and malicious activity. Read more about OTX threat analysis here.