Threat Signal Report

Supply Chain Attack on SolarWinds Orion Platform Affecting Multiple Organizations Worldwide (APT29)

Description

Editorial Note: This Threat Signal dealing with the SolarWinds attack was created by FortiGuard Labs using all of the information we had available to us on December 14th, which included a number of media reports attributing the attack to the threat actor APT29/Cozy Bear. Today, December 17th, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued their report on the attack (AA20-352A). CISA has not attributed this activity to APT29 or any other specific actor at this time. Because of this, FortiGuard Labs will update this Threat Signal accordingly once CISA provides any clarification on which specific APT group it is, and will subsequently remove all designations to APT29/Cozy Bear if warranted. We have included the CISA report in the APPENDIX. All other aspects of this Threat Signal are unchanged.


Editorial Update: On January 5th, a joint statement from the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, have issued a statement that the APT group behind the SolarWinds activity is likely Russian in origin. On January 6th, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued newly updated guidance and mitigation relating to the attack on SolarWinds (AA20-352A). We are currently evaluating the new IOCs contained in the guidance to determine any possible updates required for Fortinet solutions. We have included links to the joint statement and new guidance in the Appendix and we will update this Threat Signal as warranted.


FortiGuard Labs is aware of a new sophisticated supply chain attack on SolarWinds, an IT infrastructure management company based in the United States. This attack has been linked to state sponsored attackers who were able to upload malicious code laden updates to the SolarWinds Orion platform software to unsuspecting victims. SolarWinds Orion platform allows IT administrators an all in one management solution for SolarWinds products.


According to their website, SolarWinds provides IT infrastructure management software solutions for 425 of the top Fortune 500 companies. SolarWinds also has many global customers in multiple verticals outside of the Fortune 500, including government, telecom, education and others.


Multiple reports by news media outlets have attributed this attack to the Russian government, specifically, APT29/Cozy Bear. Also, it has been reported by various media outlets that this issue is related to the FireEye penetration tools leak from last week.


Why is APT29/Cozy Bear/Duke Significant?

APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have targeted various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and against various United States think tanks and NGOS in 2017.


Although APT29 is attributed to Russia, it is not to be confused with APT28/Fancy Bear/Pawn Storm, which is another group attributed to Russia. APT28 was responsible for the World Anti-Doping Agency (WADA) attacks before the Rio Olympics (2016) and was also responsible for the DNC attacks in 2016 as well.


What are the Technical Details?

SolarWinds has not provided much in detail, however FireEye has provided a detailed write-up on the threat actor they refer to as UNC2452 and the malware variant referred to as SUNBURST.


Victims were compromised by trojanized versions of a legitimate SolarWinds digitally signed file named:


SolarWinds.Orion.Core.BusinessLayer.dll


The trojanized file is a backdoor. Once on a target machine, it remains dormant for a two-week period and will then retrieve commands that allow it to transfer, execute, perform reconnaissance, reboot and halt system services. Communication occurs over http to predetermined URI's.


The malware utilizes the Orion Improvement Program protocol to evade detection by piggybacking itself as a legitimate service and storing its results within Orion plugin files to avoid further detection. The threat actors used a limited set of malware to avoid detection and used exfiltrated credentials to login to the network remotely for access. Then once inside, the attackers deployed a customized version of the Cobalt Strike beacon for lateral movement. According to the report, the updates were delivered via a two-month window, from March to May of 2020.


Is This Limited to Targeted Attacks?

According to the FireEye, this appears to be a global campaign and not limited to a specific region or entity.


How Serious of an Issue is This?

High.


Is there a Patch or Version Update Available by the Vendor?

Yes. According to the SolarWinds security advisory:


Customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. This version is currently available at customerportal.solarwinds.com.

Additionally, it is recommended that customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.


For further details along with affected software, please see the "SolarWinds Security Advisory" link in the APPENDIX section.


What is the Status of Protections for this Event?

FortiGuard Labs has AV coverage in place for publicly available samples as:


W32/Trojan.SUNBURST!tr

MSIL/SunBurst.A!tr

W64/TearDrop.A!tr

MSIL/Sunburst.F!tr

MSIL/SuperNova.A!tr

W32/Sunburst.A!tr

W32/Agent.1BA1!tr

MSIL/Agent.102E!tr

MSIL/Agent.C865!tr

MSIL/Agent.8448!tr

MSIL/Agent.5676!tr


FortiGuard Labs has released a revised IPS signature that will detect SUNBURST activity which was released in IPS definitions set (16.981):


FireEye.Red.Team.Tool


FortiGuard Labs has released a new IPS signature that will detect SUNBURST activity which was released in IPS definitions set (16.984):


SolarWinds.SUNBURST.Backdoor


FortiGuard Labs has released a new Application Control signature that will detect attempted SolarWinds access activity which was released in definitions set (16.984):


SolarWinds


For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.


Regarding FortiAnalyzer, a knowledge base article that contains detailed insight on how to detect Sunburst/SolarWinds specific activity can be found here.


All network IOC's are blocked by the Web Filtering client.


Any Other Suggested Mitigation?

Due to the ease of disruption and due to the disruption and damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.


It is also important to ensure that all known vendor vulnerabilities are addressed, and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.