Supply Chain Attack on SolarWinds Orion Platform Affecting Multiple Organizations Worldwide (APT29)

Description

Editorial Note: This Threat Signal dealing with the SolarWinds attack was created by FortiGuard Labs using all of the information we had available to us on December 14th, which included a number of media reports attributing the attack to the threat actor APT29/Cozy Bear. Today, December 17th, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued their report on the attack (AA20-352A). CISA has not attributed this activity to APT29 or any other specific actor at this time. Because of this, FortiGuard Labs will update this Threat Signal accordingly once CISA provides any clarification on which specific APT group it is, and will subsequently remove all designations to APT29/Cozy Bear if warranted. We have included the CISA report in the APPENDIX. All other aspects of this Threat Signal are unchanged.

Editorial Update: On January 5th, a joint statement from the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, have issued a statement that the APT group behind the SolarWinds activity is likely Russian in origin. On January 6th, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued newly updated guidance and mitigation relating to the attack on SolarWinds (AA20-352A). We are currently evaluating the new IOCs contained in the guidance to determine any possible updates required for Fortinet solutions. We have included links to the joint statement and new guidance in the Appendix and we will update this Threat Signal as warranted.

FortiGuard Labs is aware of a new sophisticated supply chain attack on SolarWinds, an IT infrastructure management company based in the United States. This attack has been linked to state sponsored attackers who were able to upload malicious code laden updates to the SolarWinds Orion platform software to unsuspecting victims. SolarWinds Orion platform allows IT administrators an all in one management solution for SolarWinds products.

According to their website, SolarWinds provides IT infrastructure management software solutions for 425 of the top Fortune 500 companies. SolarWinds also has many global customers in multiple verticals outside of the Fortune 500, including government, telecom, education and others.

Multiple reports by news media outlets have attributed this attack to the Russian government, specifically, APT29/Cozy Bear. Also, it has been reported by various media outlets that this issue is related to the FireEye penetration tools leak from last week.

Why is APT29/Cozy Bear/Duke Significant?

APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have targeted various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and against various United States think tanks and NGOS in 2017.

Although APT29 is attributed to Russia, it is not to be confused with APT28/Fancy Bear/Pawn Storm, which is another group attributed to Russia. APT28 was responsible for the World Anti-Doping Agency (WADA) attacks before the Rio Olympics (2016) and was also responsible for the DNC attacks in 2016 as well.

What are the Technical Details?

SolarWinds has not provided much in detail, however FireEye has provided a detailed write-up on the threat actor they refer to as UNC2452 and the malware variant referred to as SUNBURST.

Victims were compromised by trojanized versions of a legitimate SolarWinds digitally signed file named:

SolarWinds.Orion.Core.BusinessLayer.dll

The trojanized file is a backdoor. Once on a target machine, it remains dormant for a two-week period and will then retrieve commands that allow it to transfer, execute, perform reconnaissance, reboot and halt system services. Communication occurs over http to predetermined URI's.

The malware utilizes the Orion Improvement Program protocol to evade detection by piggybacking itself as a legitimate service and storing its results within Orion plugin files to avoid further detection. The threat actors used a limited set of malware to avoid detection and used exfiltrated credentials to login to the network remotely for access. Then once inside, the attackers deployed a customized version of the Cobalt Strike beacon for lateral movement. According to the report, the updates were delivered via a two-month window, from March to May of 2020.

Is This Limited to Targeted Attacks?

According to the FireEye, this appears to be a global campaign and not limited to a specific region or entity.

How Serious of an Issue is This?

High.

Is there a Patch or Version Update Available by the Vendor?

Yes. According to the SolarWinds security advisory:

Customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. This version is currently available at customerportal.solarwinds.com.

Additionally, it is recommended that customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

For further details along with affected software, please see the "SolarWinds Security Advisory" link in the APPENDIX section.

What is the Status of Protections for this Event?

FortiGuard Labs has AV coverage in place for publicly available samples as:

W32/Trojan.SUNBURST!tr

MSIL/SunBurst.A!tr

W64/TearDrop.A!tr

MSIL/Sunburst.F!tr

MSIL/SuperNova.A!tr

W32/Sunburst.A!tr

W32/Agent.1BA1!tr

MSIL/Agent.102E!tr

MSIL/Agent.C865!tr

MSIL/Agent.8448!tr

MSIL/Agent.5676!tr

FortiGuard Labs has released a revised IPS signature that will detect SUNBURST activity which was released in IPS definitions set (16.981):

FireEye.Red.Team.Tool

FortiGuard Labs has released a new IPS signature that will detect SUNBURST activity which was released in IPS definitions set (16.984):

SolarWinds.SUNBURST.Backdoor

FortiGuard Labs has released a new Application Control signature that will detect attempted SolarWinds access activity which was released in definitions set (16.984):

SolarWinds

For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.

Regarding FortiAnalyzer, a knowledge base article that contains detailed insight on how to detect Sunburst/SolarWinds specific activity can be found here.

All network IOC's are blocked by the Web Filtering client.

Any Other Suggested Mitigation?

Due to the ease of disruption and due to the disruption and damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.

It is also important to ensure that all known vendor vulnerabilities are addressed, and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.

Outbreak Alert

SolarWinds [signed] software containing a planted vulnerability released in March 2020 as a regular (trusted) software patch. The backdoor was not discovered until the FireEye breach became public 9 months later.

View the full Outbreak Alert Report

Appendix

SolarWinds Security Advisory

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor (FireEye)

Important steps for customers to protect themselves from recent nation state cyberattacks (Microsoft)

Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (Revised 1/6/2021)

JOINT STATEMENT BY THE FEDERAL BUREAU OF INVESTIGATION (FBI), THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (CISA), THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE (ODNI), AND THE NATIONAL SECURITY AGENCY (NSA) (Added 1/5/2021)

Supplemental Guidance v3 (Added 1/6/2021)