So SolarWinds Happened…Now What?
No one wants to be the next SolarWinds. Of course the SolarWinds attack that was conducted was a very methodical and well planned attack but at the end of the day it comes down to implementing and governing best security practices. And, yes, most companies are not equipped or prepared for this type of attack and the planned nature of the attack. The Russian group, Cozy Bear, is believed to have executed this software supply-chain attack.
In case you haven’t heard, malicious actors hacked into the IT company SolarWinds and used its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This attack scenario is referred to as a supply-chain attack and is perhaps the most impactful and difficult to detect as it relies on software that is already trusted and that can be widely distributed at once. We know this attack currently affects SolarWinds, but the full scope of the attack is not currently yet known by the security community
As a result the assumed hacker group Cozy Bear, believed to be affiliated with the Russian government, gained access to computer systems belonging to multiple US government departments including the US Treasury and Commerce in a long-term compromise that is believed to have started back in March. The event and resulting news and media triggered an emergency meeting of the US National Security Council on Saturday. SolarWinds customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.
So, regardless if you use SolarWinds or not, we recommend, as best practice, your organization immediately take the following actionable steps for your environment(s):
• Perform a full scan of all endpoints within your environment and analyze results for any detections named Backdoor.Sunburst and Backdoor.WebShell.
• Review the Indicators of Compromise (IoCs) at the end of this article to search within your logs, and any other SIEM data you collect to accurately assess any timeline of any potential intrusion.
• Conduct a comprehensive security risk assessment to review and harden your physical and cloud infrastructure.
• If your organization uses the Orion platform immediately upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with steps outlined above.
To discuss the scope of your security risk assessment and pricing, please contact us at either [email protected] or 813-616-5101.
Indicators of Compromise (IOCs)
This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.
SolarWinds.Orion.Core.BusinessLayer.dll
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
appweblogoimagehandler.ashx.b6031896.dll
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
TEARDROP
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
191a0fc897f798860c541f0e3fcd496f5d586f54c967d6e21621d974ebdd9de5
0201b92d3d877df4de0d109ce6f3d647cfde3ab9d881f8cddc10d4bb8e5f21ad
fc1e27cddf11c2c44f89d38247e368f7840b80f9f6720cf6511c1730a2e56ed8
a589ce29f6b0b59857723d8ae03a4f7f8e38a60859215a4fc1180fb0456017bc
e8593c908f6ac1656d5261073be7df756b5dd5dd428742c090e2c0ad983df56d
Network indicators
avsvmcloud[.]com
deftsecurity[.]com
freescanonline[.]com
thedoccloud[.]com
websitetheme[.]com
highdatabase[.]com
incomeupdate[.]com
databasegalore[.]com
panhardware[.]com
zupertech[.]com
13.59.205[.]66
54.193.127[.]66
54.215.192[.]52
34.203.203[.]23
139.99.115[.]204
5.252.177[.]25
5.252.177[.]21
204.188.205[.]176
51.89.125[.]18
167.114.213[.]199
Additional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules