Steps for External and Internal Threat Hunting in the Aftermath of SolarWinds
The holiday season is full of joy, anticipation, and the latest technology breach news. With this being 2020, the technology industry, not wanting to be outdone by forest fires, plagues, and murder hornets, came out with its own version of a ‘natural disaster’; an espionage campaign, known as SUNBURST that co-opted the SolarWinds Orion Platform.
SolarWinds says the Orion Platform “makes it easy to monitor, analyze, and manage the complete IT stack in one place.” The product combines multiple popular SolarWinds products into a single platform, centralizing network infrastructure and user administration. This also makes it the perfect target for a strategic espionage campaign.
Between March and December of 2020, sophisticated attackers, presumed to be associated with the Russian SVR foreign intelligence service, gained access to SolarWinds’ development infrastructure and inserted malicious code into the codebase of the Orion product. This enabled the attackers to instigate targeted attacks against SolarWinds customers.
When the news came out, a large number of affected companies were reported. The installed customer base of SolarWinds products numbers more than 300,000. Slowly, the number of affected customers was further qualified. 33,000 customers of SolarWinds used the Orion platform. Of those, approximately 18,000 downloaded the malicious update, leaving their networks vulnerable. The malicious update appears to have been used by attackers to actively target 300 of those customers. Should those customers “burn their networks to the ground” and rebuild? Should you?
The truth is, if you haven’t been approached by SolarWinds, VMWare, Microsoft, the CISA, or others, then you probably don’t need to consider the nuclear option. But you should undertake the following three step process:
- SECURE THE INTERIOR: Do any of your networks utilize SolarWinds Orion?
- SECURE THE PERIMETER: Have any of the affected networks had tangential access to your networks through partners, contractors, or others?
- SECURE THE TANGENTIAL: Does any of your data exist on other affected networks?
Secure the Interior
The interior is where the hunt should begin – even if you are not one of the unfortunate 18,000. Are you certain the vulnerable SolarWinds software is not in your network? Even though you may not have a SolarWinds contract, it is possible that someone is running a trial version without your knowledge.
Initially, Orion was the only known compromised tool utilized in the SUNBURST attacks. There have since been reports that CVE-2020-4006, a vulnerability in VMWare remote access tools, was used by the attackers prior to its publication. While investigating the impact of SUNBURST on your internal network, you should ensure that you have the most up-to-date information regarding the currently known compromised tools.
The SolarWinds component of the attack was primarily used for initial access. It is likely that attackers performed some internal expansion via internal service accounts. Attackers will have exited the Orion hosts quickly and moved on to second tier infrastructure in order to “go dark” on the wire and not reveal their access vector. The expansion effort is where organizations would have had the opportunity to detect this activity. There are a limited number of ways to expand and persist. EDR, account monitoring, event logging and alerting, netflow analysis, etc., are all pieces of the puzzle.
Using your SIEM, centralized logging, or other server log searching capabilities, we recommend searching for any account logins from the Solarwinds server(s). A starting point would be Windows Security Events 4768, 4769, 4771 for Kerberos, 4776 for NTLM on the DCs, and local credentials 4624,4625. In addition, be mindful of any logins to any host, even if not network devices, from the Solarwinds host that are outside of scheduled activity.
SolarWinds was not the only access vector utilized in the attack. In addition to the VMWare vulnerability, other non-public vulnerabilities may have been used. It is possible that there are other vendors whose products have been compromised in a similar fashion, including systems monitoring solutions, endpoint detection products, network and systems management, identity and access management, and others.
If, after consulting your employees and reviewing your SIEM, logs, network and contract documentation, you are still unsure about whether or not these compromised applications are in your network, consider examining netflow data, mobile, breach data, and the dark web to identify indicators of the presence of these applications without needing direct access to your corporate network environment.
Secure the Perimeter
If you have a good relationship with partners, contractors, and consultants, they might be permitted to bring their devices into your networks. Ideally, they would proactively and rapidly inform you of any breaches that have affected or could potentially affect their company. If you desire a greater degree of certainty, consider examining your partners’ netflow, their products, and product updates, allowing you to identify issues and engage your partner with actionable context in order to address potential risks.
Secure The Tangential
You should also be concerned about companies with whom you share data. Does a breach of their network that exposes your data to attackers constitute a reportable event? Do you trust them? Do you have the time to perform background investigations, scour media reports, the dark web, breach data, and other technical data associated with their key employees? Scouring a variety of open source intelligence services can identify evidence of systemic trust issues in the leadership and infrastructure of those with whom you have a relationship. Whether it’s trade secret litigation or intellectual property theft, the information is available and contextualized to potentially inform internal investigations where appropriate.
What do malicious attackers and systems monitoring solutions, endpoint detection products, network and systems management, and identity and access management applications have in common? They all need to establish a persistent connection into the environment. These persistent connection “call backs” can be detected in global netflow and be walked back several hops. This is the type of diligence your organization needs to consider not only for Solarwinds but all third-parties that hold or access sensitive data for your organization.
Nisos is The Managed Intelligence Company®. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
Zero Touch Diligence® combines cybersecurity and OSINT (Open Source Intelligence) expertise to provide deep, current, and comprehensive insight within the context of your specific needs, particularly focusing on third party applications that maintain connections into your environment. By fusing robust analytic methodology with a suite of tools, Nisos facilitates tailored monitoring and professional analysis of complex data sources. These tools collect, store, enrich, and integrate data from a wide variety of sources, which translates into more accurate, validated, and actionable insights delivered to you.
For more information visit: nisos.com email: firstname.lastname@example.org | 703-382-8400