December 2020
Detect SolarWinds SUNBURST Backdoor
with Stellar Cyber Open-XDR Platform
On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It also appeared in the recent CISA Emergency Directive 20-01. Given its importance, we would like to provide a quick response and suggestions for you to deal with this critical threat.
1. Mitigate SolarWinds Orion Supply Chain Compromise
CISA Emergency Directive 20-01 provides very good suggestions on how to mitigate the SolarWinds Orion supply chain compromise. You first need to identify whether you are running the affected version of SolarWinds Orion products (2019.4 through 2020.2.1 HF1). Any hosts managed by such software should be considered as compromised based on the CISA
suggestions.
2. Detect Suspicious Network Communications
We have already incorporated the threat intelligence of SUNBURST into our platform.
2.1 Network Level IoCs
SUNBURST employs a complex, multi-staged mechanism to connect to a C2 (Command & Control) channel. It first connects to a domain with assvmcloud.comas the TLD. The domain resolves and returns a CNAME to another malicious domain, then to the IP address. We have incorporated the IoCs in terms of domains and IP addresses in our emerging threat intelligence and pushed through the Stellar Cyber cloud. Every customer already has the update automatically. If any IP address or domain matches the IoC from threat intelligence, we will enrich the Interflow record and the corresponding IP address with the following fields in the traffic index:
• dstip_reputation: emerging_threat
• dstip_reputation_source: SolarWinds_Backdoor
With that, you can create an ATH (Automated Threat Hunting) rule to run a customized detection for such C2 alerts (our customer support team can also help with that).
Data ingestion that can trigger domain reputation
• network sensor
• security sensor
Data ingestion that can trigger IP address reputation:
• network sensor
• security sensor
• Windows event log/Sysmon
• firewall connection logs
2.2 IDS Signatures
From our threat intelligence sources, we have also incorporated the IDS signatures into our security sensors to detect suspicious SolarWinds Orion communications with SUNBURST. Every customer already has the update automatically.
Look for:
ids.signature:SUNBURST
in the ML-IDS/Malware index.
With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).
Data ingestion that can trigger IDS signatures: security sensor.
3. Detect Suspicious Signals on the Hosts
There are also different signals we can detect based on the host-level data.
3.1 Windows Event Log from Sysmon
If you have configured Sysmon to capture event 17 & 18, you can run the following query in the
Windows Event index to capture possible malicious behavior related to the Windows pipe.
(event_id:17 OR event_id:18) AND log_name: "Microsoft-Windows-Sysmon/Operational " AND
event_data.PipeName: "583da945-62af-10e8-4902-a8f205c72b2e "
With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).
Data ingestion requirement: Sysmon with event 17 & 18 turned on.
3.2 EDR Alert Ingestions
EDR software, such as CrowdStrike, Carbon Black, etc. might already detect host-level IoCs for SUNBURST. If data ingestion is properly configured, you can also view the EDR alerts in Starlight and correlate with the other signals.
4. Detect Suspicious Lateral Movement
Given that SUNBURST might penetrate to many different enterprises, the attacker might use different ways to establish persistent footholds and lateraly move to attack different targets in different enterprises. Detecting lateral movement is crucial.
4.1 Lateral Movement to Azure AD
As shown in the report from Microsoft, the attackers might use the SUNBURST backdoor to target Azure AD, through capturing password or forged SAML tokens. You can convert the following queries to ATH rules (our customer support team can also help with that).
(1) New Service Principals:
msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal"
(2) Credentials and certificates added to Apps or Service Principals:
msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal credentials"
(3) Permissions and role assignments added to Apps or Service Principals:
msg_class:azure_ad_audit AND activityDisplayName.keyword:("Add app role assignment to service principal" OR "Add delegated permission grant" OR "Add application")
(4) Apps modified to allow multi-tenant access:
msg_class:azure_ad_audit AND activityDisplayName.keyword:"Update application" AND operationType.keyword:"Update" AND result.keyword:"success" AND targetResources.modifiedProperties.displayName.keyword:"AvailableToOtherTenants"
(5) Changes to Azure AD Custom Domains:
msg_class:azure_ad_audit AND (activityDisplayName.keyword:"Add unverified domain" OR
activityDisplayName:"domain")
Data ingestion requirement: Azure AD audit log.
4.2 Lateral Movement Through RDP
The threat research from Splunk shows that RDP might be used in lateral movement with SUNBURST. In Starlight 3.10.0 we developed 10 RDP-related detections that can help identify the RDP-related lateral movement (and RDP attacks in general).
Data ingestion requirement:
• network sensor
• security sensor
• and/or Windows event log
4.3 Other Lateral Movement Detection Suggestions
Overall, SUNBURST might establish permanent footholds inside enterprises, which might create more signals with lateral movement.
You can search the historical data stored in Starlight for IoCs or suspicious activity from hosts with SolarWinds Orion installed. For example, search for "dstip_host:*avsvmcloud* OR metadata.request.query: *avsvmcloud* " in Traffic data prior to 12/13/2020 to see whether any hosts were already involved in SUNBURST C2.
Moreover, you can filter the alerts with the global query "srcip_type:private AND dstip_type:private", so you can pay more attention to the internally generated alerts and identify potential internal network signals.
5. Conclusions
Through research on SUNBURST, we quickly developed some ideas you can use to detect SUNBURST using Starlight. We are constantly working on threat research and will release more up-to-date information and additional detections when it becomes available. Stay tuned!