Stellar Cyber - Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

Stellar Cyber - Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines


December 2020



Detect SolarWinds SUNBURST Backdoor

with Stellar Cyber Open-XDR Platform




On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It also appeared in the recent CISA Emergency Directive 20-01. Given its importance, we would like to provide a quick response and suggestions for you to deal with this critical threat.



1.       Mitigate SolarWinds Orion Supply Chain Compromise


CISA Emergency Directive 20-01 provides very good suggestions on how to mitigate the SolarWinds Orion supply chain compromise.  You first need to identify whether you are running the affected version of SolarWinds Orion products (2019.4 through 2020.2.1 HF1). Any hosts managed by such software should be considered as compromised based on the CISA

suggestions.



2.       Detect Suspicious Network Communications


We have already incorporated the threat intelligence of SUNBURST into our platform.


2.1 Network Level IoCs


SUNBURST employs a complex, multi-staged mechanism to connect to a C2 (Command & Control) channel. It first connects to a domain with assvmcloud.comas the TLD. The domain resolves and returns a CNAME to another malicious domain, then to the IP address. We have incorporated the IoCs in terms of domains and IP addresses in our emerging threat intelligence and pushed through the Stellar Cyber cloud. Every customer already has the update automatically. If any IP address or domain matches the IoC from threat intelligence, we will enrich the Interflow record and the corresponding IP address with the following fields in the traffic index:



•   dstip_reputation: emerging_threat

•    dstip_reputation_source: SolarWinds_Backdoor


With that, you can create an ATH (Automated Threat Hunting) rule to run a customized detection for such C2 alerts (our customer support team can also help with that).


Data ingestion that can trigger domain reputation


•   network sensor

•   security sensor


Data ingestion that can trigger IP address reputation:


•   network sensor

•   security sensor

•   Windows event log/Sysmon

•   firewall connection logs


2.2 IDS Signatures


From our threat intelligence sources, we have also incorporated the IDS signatures into our security sensors to detect suspicious SolarWinds Orion communications with SUNBURST. Every customer already has the update automatically.


Look for:


ids.signature:SUNBURST


in the ML-IDS/Malware index.


With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).


Data ingestion that can trigger IDS signatures: security sensor.



3.       Detect Suspicious Signals on the Hosts


There are also different signals we can detect based on the host-level data.


3.1 Windows Event Log from Sysmon


If you have configured Sysmon to capture event 17 & 18, you can run the following query in the

Windows Event index to capture possible malicious behavior related to the Windows pipe.


(event_id:17 OR event_id:18) AND log_name: "Microsoft-Windows-Sysmon/Operational " AND

event_data.PipeName: "583da945-62af-10e8-4902-a8f205c72b2e "


With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).


Data ingestion requirement: Sysmon with event 17 & 18 turned on.


3.2 EDR Alert Ingestions


EDR software, such as CrowdStrike, Carbon Black, etc. might already detect host-level IoCs for SUNBURST. If data ingestion is properly configured, you can also view the EDR alerts in Starlight and correlate with the other signals.



4.       Detect Suspicious Lateral Movement


Given that SUNBURST might penetrate to many different enterprises, the attacker might use different ways to establish persistent footholds and lateraly move to attack different targets in different enterprises. Detecting lateral movement is crucial.


4.1 Lateral Movement to Azure AD


As shown in the report from Microsoft, the attackers might use the SUNBURST backdoor to target Azure AD, through capturing password or forged SAML tokens. You can convert the following queries to ATH rules (our customer support team can also help with that).


(1) New Service Principals:


msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal"


(2) Credentials and certificates added to Apps or Service Principals:


msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal credentials"


(3) Permissions and role assignments added to Apps or Service Principals:


msg_class:azure_ad_audit AND activityDisplayName.keyword:("Add app role assignment to service principal" OR "Add delegated permission grant" OR "Add application")


(4) Apps modified to allow multi-tenant access:


msg_class:azure_ad_audit AND activityDisplayName.keyword:"Update application" AND operationType.keyword:"Update" AND result.keyword:"success" AND targetResources.modifiedProperties.displayName.keyword:"AvailableToOtherTenants"


(5) Changes to Azure AD Custom Domains:


msg_class:azure_ad_audit AND (activityDisplayName.keyword:"Add unverified domain" OR

activityDisplayName:"domain")


Data ingestion requirement: Azure AD audit log.




4.2 Lateral Movement Through RDP


The threat research from Splunk shows that RDP might be used in lateral movement with SUNBURST. In Starlight 3.10.0 we developed 10 RDP-related detections that can help identify the RDP-related lateral movement (and RDP attacks in general).


Data ingestion requirement:


•   network sensor

•   security sensor

•   and/or Windows event log




4.3 Other Lateral Movement Detection Suggestions


Overall, SUNBURST might establish permanent footholds inside enterprises, which might create more signals with lateral movement.


You can search the historical data stored in Starlight for IoCs or suspicious activity from hosts with SolarWinds Orion installed. For example, search for "dstip_host:*avsvmcloud* OR metadata.request.query: *avsvmcloud* in Traffic data prior to 12/13/2020 to see whether any hosts were already involved in SUNBURST C2.


Moreover, you can filter the alerts with the global query "srcip_type:private AND dstip_type:private", so you can pay more attention to the internally generated alerts and identify potential internal network signals.



5.       Conclusions


Through research on SUNBURST, we quickly developed some ideas you can use to detect SUNBURST using Starlight. We are constantly working on threat research and will release more up-to-date information and additional detections when it becomes available. Stay tuned!




    • Related Articles

    • ATT-Alienvault-Advisory

        SolarWinds Orion Supply Chain Attack                        Detections in AT&T Unified Security Management™ and IoCs in the AT&T Alien Labs Open Threat Exchange™ December 16, 2020, 11:15am (CST) TLP: Amber Dear USM Customer, The details of this ...
    • Centers Of Excellence Overview

      Centers Of Excellence Overview The cyber security industry consists of 100's of manufacturers that have generated 1000's of security solutions. While many of these solutions overlap in purpose and functionality each have their own specifics related ...
    • AWS Cloudtrail Integration Guide With Breach Detection

      Overview AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS ...
    • Syslog Forwarding - Breach Detection System - Ports To Send To

      Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...
    • CyFlare SOC In a Box Quick Start Guide

      Deployment Overview Your appliance has been pre-configured based on the information provided at the time of your order for rapid deployment into your environment. The deployment consists of the following high level steps: Configure Firewall Rules ...