[BreachExchange] More SolarWinds Attack Details Emerge

[Destry Winant]

https://www.darkreading.com/threat-intelligence/more-solarwinds-attack-details-emerge/d/d-id/1339885?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A third piece of malware is uncovered, but there's still plenty of
unknowns about the epic attacks purportedly out of Russia.

As yet another piece of malware has been uncovered in the attack on
SolarWinds network management system software, there still remain
several missing elements needed to draw a complete picture of the
massive cyberattacks against major US government agencies and
corporations, including security vendor and incident response expert
FireEye.

SolarWinds and CrowdStrike this week detailed a third malware tool —
dubbed Sunspot — that was found in the attack on the software vendor.
Sunspot is a custom program that inserted the so-called Sunburst
backdoor into the software build environment of SolarWinds' Orion
network management product. CrowdStrike, which analyzed Sunspot on
behalf of SolarWinds, says the tool was carefully planted somehow by
the attackers and kept hidden from SolarWinds developers with
sophisticated tracking and camouflaging so it couldn't be detected.

"This is a purpose-built tool," says Adam Meyers, vice president of
intelligence at CrowdStrike.

In a rare reversal of roles when it comes to nation-state attribution,
the US intel community has publicly cited Russia as the perpetrator in
the attacks, while security firms FireEye and CrowdStrike, which
specialize in nation-state activity, have been unusually cautious in
identifying a threat group or nation behind the attacks. Neither
vendor will confirm whether it's Russia.

FireEye CEO Kevin Mandia last week noted during an Aspen Institute
panel event that the attack group here "smells a lot different"
despite similarities in its behavior to known nation-states. FireEye
was the first to spot and report the attack on SolarWinds' software
after discovering its own SolarWinds implementation had been targeted
and that user credentials and its red-team tools had been stolen.

The attackers planted malware in legitimate updates to SolarWinds'
Orion network management software that was sent to some 18,000 public
and private sector customers of the software. According to US
intelligence assessments, a very small number of those organizations
actually were targeted and compromised.

"This is a pretty complex attack," CrowdStrike's Meyers says. "They've
got absolutely immaculate opsec from what we've seen."

Case in point: The source code for Sunburst was embedded in Sunspot,
he explains, but the attackers had done something he had never seen
before. "We were excited to see source code for Sunburst but realized
they had run it through a decompiler and laundered the code" so it was
sanitized and left no fingerprints or other clues, he says.

The Sunspot implant also could be repurposed, he notes, and used with
other source code by the attackers.

SolarWinds, which recently hired former CISA director Christopher
Krebs and former Facebook security head Alex Stamos to assist in their
breach recovery process, said the attackers appear to have first
infiltrated the firm in September 2019 — likely for reconnaissance.
According to a blog post by SolarWinds' newly appointed president and
CEO Sudhakar Ramakrishna, the October 2019 version of Orion was
modified such that the attackers could test their ability to insert
code into its builds. The attackers began using Sunspot to insert
Sunburst into Orion releases, starting on Feb. 20, 2020; the attackers
later removed Sunburst in June of last year.

CrowdStrike's Meyers recommends that organizations "take a hard look"
at their software build environments, especially if they are shipping
code. "We see a lot of threat actors interested in targeting the
supply chain," he says. "Awareness is key."

Aside from Sunspot and Sunburst, there's also Teardrop malware, a
memory-based dropper that was used by the attackers to run a custom
Cobalt Strike Beacon service for the attackers.

Turla Thread?
Kaspersky researchers, meanwhile, also found several commonalities
between the Sunburst backdoor and a known backdoor called Kazuar,
which was first detailed by Palo Alto Networks in 2017 and used for
cyber-espionage campaigns by the Turla group. Turla is a Russian
advanced persistent threat also known by the names of Snake, Venomous
Bear, Uroburos, Group 88, and Waterbug, and is associated with cyber
espionage.

Sunburst and Kazuar have some code overlap — specifically in their
victim UID-generation algorithm, sleeping algorithm, and FNV-1a hash
use, Kaspersky found. That doesn't prove they are from the same attack
group, however, but the code could be somehow related or merely
mimicked, according to Kaspersky.

"We don't fully understand all of the different vectors or scope of
this compromise," says Costin Raiu, director of Kaspersky's global
research and analysis team. "But any bits of technically connected
information can help."

Aside from the SolarWinds attack vector, there also are unsolved
threads of additional initial attack vectors, including stolen
credentials, according to CISA, which is looking into other attack
methods in the campaign. There's also the December alert from the NSA
warning of a VMware zero-day vulnerability that has some researchers,
including Kaspersky's Raiu, wondering if it could be somehow related
to the SolarWinds attacks, possibly as one of the other initial attack
vectors outside of the SolarWinds software.

Either way, the supply chain attack via SolarWinds has the earmarks of
nation-states, including Russia.

"I see SolarWinds [the attack] as a very natural element of an
ecosystem that has existed" in cyber espionage for some time, says
Gregory Rattray, co-founder and partner at Next Peak and former global
CISO of JP Morgan Chase, who also served as White House cybersecurity
director during the George W. Bush administration.

Rattray — who coined the now commonly used term for nation-state
hackers, advanced persistent threat, or APT, while in the US Air Force
— says the SolarWinds attack is just one of likely many similar supply
chain compromises by stealthy and sophisticated groups.

"We're only seeing the tip of the iceberg. … There's a whole lot more of this."