US-CERT- AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Started by Netwörkheäd, February 08, 2021, 12:05:07 PM

Previous topic - Next topic

Netwörkheäd

AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

[html]Original release date: December 17, 2020 | Last revised: February 8, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.



(Updated January 6, 2021): One of the initial access vectors for this activity is a supply chain compromise of a Dynamic Link Library (DLL) in the following SolarWinds Orion products (see Appendix A). Note: prior versions of this Alert included a single bullet that listed two platform versions for the same DLL. For clarity, the Alert now lists these platform versions that share the same DLL version number separately, as both are considered affected versions.




       
  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083

  •    
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219

  •    
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394

  •    
  • Orion Platform 2020.2, version 2020.2.5300.12432

  •    
  • Orion Platform 2020.2 HF1, version 2020.2.5300.12432



Note (updated January 6, 2021): CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section). Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs). CISA will update this Alert as new information becomes available. Refer to https://www.cisa.gov/supply-chain-compromise">CISA.gov/supply-chain-compromise for additional resources.



(Updated January 6, 2021): On December 13, 2020, CISA released https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. CISA has subsequently issued https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3">supplemental guidance to Emergency Directive (ED) 21-01, most recently on January 6, 2021. Note: this Activity Alert does not supersede the requirements of ED 21-01 or any supplemental guidance and does not represent formal guidance to federal agencies under ED 21-01.



CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).



Key Takeaways (updated December 18, 2020)




       
  • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.

  •    
  • CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise. 

  •    
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.

  •    
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. 



(Updated January 8, 2021) For a downloadable list of indicators of compromise (IOCs), see the https://us-cert.cisa.gov/sites/default/files/publications/AA20-352A.stix.xml">STIX file, https://us-cert.cisa.gov/sites/default/files/publications/MAR-10318845-1.v1.WHITE_stix.xml">MAR-10318845-1.v1.stix, and https://us-cert.cisa.gov/sites/default/files/publications/MAR-10320115-1.v1.WHITE_stix.xml">MAR-10320115-1.v1.stix.


Technical Details

Overview



CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered. CISA will continue to update this Alert and the corresponding IOCs as new information becomes available.



Initial Infection Vectors [https://attack.mitre.org/versions/v8/tactics/TA0001/">TA0001]



(Updated January 6, 2021): CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [https://attack.mitre.org/versions/v8/techniques/T1110/001/">T1101.001], password spraying [https://attack.mitre.org/versions/v8/techniques/T1110/003/">T1101.003], and inappropriately secured administrative credentials [https://attack.mitre.org/versions/v8/techniques/T1078/">T1078] accessible via external remote access services [https://attack.mitre.org/versions/v8/techniques/T1133/">T1133]. Initial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as additional initial vectors are identified.



Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App (OWA).[https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.



SolarWinds Orion Supply Chain Compromise [https://attack.mitre.org/versions/v8/techniques/T1195/002/">T1195.002]



SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.



The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[https://www.solarwinds.com/securityadvisory">2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the backdoor has occurred.



Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.



SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.



Anti-Forensic Techniques



The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their "last mile" IP addresses to different endpoints to obscure their activity and avoid detection.



FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [https://attack.mitre.org/versions/v8/techniques/T1027/003/">T1027.003]) to obscure C2 communications.[https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">3] This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary's use of this technique.



According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.



While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user's normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.



Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.



Privilege Escalation and Persistence [https://attack.mitre.org/versions/v8/tactics/TA0004">TA0004, https://attack.mitre.org/versions/v8/tactics/TA0003/">TA0003]



(Updated January 6, 2021): The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication credentials, in the form of assigning tokens and certificates, to existing Azure/Microsoft 365 (M365) application service principals. These additional credentials provide persistence and escalation mechanisms and a programmatic method of interacting with the Microsoft Cloud tenants (often with Microsoft Graph Application Programming Interface [API]) to access hosted resources without significant evidence or telemetry being generated.



(Updated January 6, 2021): Microsoft reported that the actor has added new federation trusts to existing on permises infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity, as well as a Sentinel detection for identifying changes to the identity federation from a user or application.[https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml ">4]



User Impersonation



(Updated January 6, 2021): The adversary's initial objectives, as understood today, appear to be to collect information from victim environments. One method the adversary is accomplishing this objective is by compromising the SAML signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized APIs. During the persistence phase, the additional credentials being attached to service principals obfuscates the activity of user objects, because they appear to be accessed by the individual, and such individual access is normal and not logged in all M365 licensing levels.



CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.



These are some key functions and systems that commonly use SAML.




       
  • Hosted email services

  •    
  • Hosted business intelligence applications

  •    
  • Travel systems

  •    
  • Timecard systems

  •    
  • File storage services (such as SharePoint and OneDrive)



(New January 6, 2021): Detection: Identifying Compromised Azure/M365 Resources



CISA created Sparrow.ps1[https://github.com/cisagov/Sparrow">5] to help detect possible compromised accounts and applications in the Azure/M365 environment. Sparrow is intended for use by incident responders and focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data and is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent intrusions on federated identity sources and applications. Sparrow can be found on CISA's Github page at https://github.com/cisagov/Sparrow">https://github.com/cisagov/Sparrow.



Detection: Impossible Logins



The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as "impossible travel." Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.



Detection: Impossible Tokens



The following conditions may indicate adversary activity.




       
  • (Updated January 6, 2021): Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual. Exact values (measured in precise seconds) is also considered unusual.

  •    
  • The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.

  •    
  • A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation.

  •    
  • (New January 6, 2021): Tokens with missing or unusual MFA details, when MFA is enforced, is considered an anoamaoly and should be investigated. This requires correlation of identity provider (iDP) logs with cloud access; differences in claims indicate maninpulated values. All claims should have a corresponding iDP entry.



(New December 21, 2020): see the National Security Agency (NSA) Cybersecurity Advisory: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF">Detecting Abuse of Authentication Mechanisms for additional detection methods as well as mitigation recommendations.



Operational Security



Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.



Operational security plans should include:




       
  • Out-of-band communications guidance for staff and leadership;

  •    
  • An outline of what "normal business" is acceptable to be conducted on the suspect network;

  •    
  • A call tree for critical contacts and decision making; and

  •    
  • Considerations for external communications to stakeholders and media.



MITRE ATT&CK® Techniques



CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.




Mitigations

(Updated January 6, 2021) SolarWinds Orion Owners



Networks with SolarWinds Orion products will generally fall into one of three categories. (Note: for the purposes of mitigation analysis, a network is defined as any computer network with hosts that share either a logical trust or any account credentials with SolarWinds Orion.)




       
  • Category 1 includes those who do not have the identified malicious binary code on their network and can forensically confirm that the binary was never present on their systems. This includes networks that do not, and never did, utilize the affected versions of SolarWinds Orion products (see Appendix A).

  •    
  • Category 2 includes networks where the presence of the malicious binary has been identified—with or without beaconing to avsvmcloud[.]com. This includes networks that previously utilized affected versions of SolarWinds Orion but where the organization has forensically verified (through comprehensive network monitoring and analysis) that platforms running the affected software either:

        
       

            
    1. Had no beaconing, or

    2.       
    3. Only beaconed to avsvmcloud[.]com and have not had any secondary C2 activity to a separate domain or IP address or other adversary activity or secondary actions on objectives (AOOs),[https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf">6] such as SAML token abuse.

             

    4.    

       

  •    
  • Category 2 organizations, after conducting appropriate forensic analysis to ensure they only have category 2 activity, can rebuild the platform, harden the configuration based on SolarWinds secure configuration guidelines, and resume use as determined by and consistent with their thorough risk evaluation. For entities not subject to ED 21-01, this can be accomplished by following the steps below. Federal agencies subject to ED 21-01 must follow the appropriate steps as outlined in the effective ED 21-01 supplemental guidance.

        
       

            
    1. Denying all incoming and outgoing (any:any) communications outside of the organization's device network management enclave, with additional assurance that communications to the public internet to and from hosts running SolarWinds Orion products has been blocked.

    2.       
    3. Cloud instances of Orion should only monitor cloud resources in that cloud infrastructure.

    4.       
    5. On-premises instances of Orion should not be permissioned with any cloud/hosted identity accounts.

    6.       
    7. Restoration of SolarWinds may be done from the legacy database following the SolarWinds restore guidance (http://solarwinds.com/upgrading-your-environment">http://solarwinds.com/upgrading-your-environment). Restoration for affected versions will differ from restoration for unaffected versions—agencies must ensure that they are following the correct restoration guidance.

    8.       
    9. Before building SolarWinds:
            

                 
      1. All account credentials, or other shared secrets (e.g., Simple Network Management Protocol [SNMP] strings) that are or had been utilized by the affected SolarWinds Orion device being rebuilt should be changed.

      2.          
      3. Enable MFA for these credentials, whenever possible.

      4.          
      5. Provide service accounts with the minimum privilege necessary for the role performed, whenever possible.

      6.          
      7. For accounts where MFA is not possible  (e.g., service accounts), use randomly generated long and complex passwords (greater than 25 characters) and implement a maximum 90-day rotation policy for these passwords.

      8.          
      9. Remove all inbound trust relationships to the SolarWinds Orion device being rebuilt.

      10.       

            

    10.       
    11. Re-building a SolarWinds Orion Platform to at least version 2020.2.1 HF2 and updating the host to the latest supported build, at least Windows 2016.

    12.       
    13. Following the SolarWinds secure configuration (hardening) guidelines provided by the vendor, which can be found at: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm">https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm. CISA does not recommend configuring the SolarWinds software to implement SAML-based authentication that relies on Microsoft's Active Directory Federated Services if it has not already been configured to leverage SAML. This configuration is currently being exploited by the threat actor with this activity.

    14.       
    15. Configuring logging to ensure that all logs on the host operating system and SolarWinds platform are being captured and stored for at least 180 days.

    16.       
    17. Configure logging to ensure that all logs from the host OS, SolarWinds platform, and associated network logs are being captured and stored for at least 180 days in a separate, centralized log aggregation capability.

    18.       
    19. Implementing subsequent SolarWinds Orion Platform updates. CISA recommends installing all updates within 48 hours of release. 

             

    20.    

       

  •    
  • Category 3 includes those networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address (typically but not exclusively returned in avsvmcloud[.]com CNAME responses). Additionally, organizations that have observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020—not due to an action taken by their network defenders—fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately. Recovery and remediation of Category 3 activity requires a complex reconstitution and mitigation plan, which may include comprehensively rebuilding the environment. This should be coordinated with an organization's leadership and incident response team.



Compromise Mitigations



(Updated January 6, 2021): If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary's removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action. A Microsoft blog post, https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/">Advice for incident responders on recovery from systemic identity compromises outlines processes and procedures needed to remediate this type of activity and retain administrative control of an environment. In addition to the recommendations in this blog post, CISA recommends the following actions:




       
  1. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
       

            
    1. See Microsoft's documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448">https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448.

    2.       
    3. Change all account credentials, or other shared secrets (e.g., SNMP strings) that were potentially exposed:
            

                 
      1. Enable MFA for these credentials, whenever possible;

      2.          
      3. Provide service accounts with the minimum level of privilege necessary for the role performed, whenever possible; and

      4.          
      5. For accounts where MFA is not possible, require use of randomly generated long and complex passwords (greater than 25 characters) and implement a maximum 90-day rotation policy for these passwords.

      6.       

            

    4.       
    5. Replace the user accounts with a Group Managed Service Account (gMSA). See https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview, and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.

    6.       
    7. Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption

    8.       
    9. Define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos">https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

    10.       
    11. See Microsoft's documentation on how to reset the Kerberos Ticket Granting Ticket password, twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password.

    12.    

       



SolarWinds Orion Specific Mitigations



The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf.



Organizations that have the https://cyber.dhs.gov/ed/21-01/#what-does-the-directive-mean-by-expertise">expertise to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01 (and forthcoming associated guidance) for mitigation steps.




       
  • Step 1

       

            
    • Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise.

    •       
    • Analyze stored network traffic for https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software">indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.

    •    

       

  •    
  • Step 2
       

            
    • Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network.

    •       
    • Additionally:
            

                 
      • Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.

      •          
      • Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.  

      •       

            

    •    

       

  •    
  • Step 3  
       

            
    • Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:
            

                 
      • Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.

      •          
      • Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.

      •          
      • Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.

      •       

            

    •    

       

  •    
  • (New December 19, 2020) For all network devices (routers, switches, firewalls, etc.) managed by affected SolarWinds servers that also have indications of additional adversary activity, CISA recommends the following steps:
       

            
    • Device configurations
            

                 
      • Audit all network device configurations, stored or managed on the SolarWinds monitoring server, for signs of unauthorized or malicious configuration changes.

      •          
      • Audit the configurations found on network devices for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time.

      •       

            

    •       
    • Credential and security information reset
            

                 
      • Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).

      •       

            

    •       
    • Firmware and software validation
            

                 
      • Validate all network device firmware/software which was stored or managed on the SolarWinds monitoring server. Cryptographic hash verification should be performed on such firmware/software and matched against known good hash values from the network vendor. CISA recommends that, if possible, organizations download known good versions of firmware.

      •       

            

    •    

       

  •    
  • For network devices managed by the SolarWinds monitoring server, the running firmware/software should be checked against known good hash values from the network vendor. CISA recommends that, if possible, organizations re-upload known good firmware/software to managed network devices and perform a reboot.



See Joint Alert on https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity for more information on incident investigation and mitigation steps based on best practices.



CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises.


Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at





CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/">http://www.us-cert.cisa.gov/.



Appendix A: Affected SolarWinds Orion Products



Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present. (Updated January 6, 2021: added SHA-1 and MD5 hashes to table 1; updated SHA-256 hash for version 2019.4 HF6).



Table 1: Affected SolarWinds Orion Products




   
      
         
         
         
         
         
         
      
   
   
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
      
         
         
         
         
         
         
      
   
Orion Platform VersionSunburst Backdoor Code PresentFile VersionSHA-256SHA-1MD5
2019.4Tampered but not backdoored2019.4.5200.8890a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc5e643654179e8b4cfe1d3c1906a90a4c8d611ceae18a6a21eb44e77ca8d739a72209c370
2019.4 HF1No2019.4.5200.8950
         

9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690


         
48e84a1ed30d36f6750bce8748fe0edbfa9fb3dcb3f7ac8215b73e73e1e184933c788759
2019.4 HF2No2019.4.5200.8996bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d162bb92a18bb39ac7e9a9997369a6efe0dd74094563d4d55eae72710f9419975d087fd11
2019.4 HF3No2019.4.5200.9001ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad98bb0c5d1a711472225dc1194133f37c80159664d22e80d03fe69389cbf3299f6f800f80
2019.4 HF4No2019.4.5200.9045
         

9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee


         
2a255070160b1c6fcad4f0586b64691fe8b6d0f86b5f205d79a647b275500597975314a5
2020.2 RC1Yes2020.2.100.12219dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b1acf3108bf1e376c8848fbb25dc87424f2c2a39c731d724e8859ef063c03a8b1ab7f81ec
2019.4 HF5Yes2019.4.5200.908332519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c7776640508b1e7759e548771a5359eaed353bf1eecb91ce2fa41029f6955bff20079468448
2020.2 RC2Yes2020.2.5200.12394019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b01342f1a5a7411d015d01aaee45358354001916450232c4a910a1299cdae2a4e55988a2f102e

         

2020.2



         

2020.2 HF1


         
Yes2020.2.5300.12432ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6d130bd75645c2433f88ac03e73395fba172ef676846e27a652a5e1bfbd0ddd38a16dc865
2019.4 HF6No2019.4.5200.91068dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a00f66fc1f74b9ecabf1aafc123f2ef0f94edc2581412c74537fc769b5dd34b4c1da0bf48

         

2020.2.1



         

2020.2.1 HF1


         
No2020.2.15300.12766143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a8acbcc116baa80262d09635bd312018372fefca62d9b1245d42bb9f928da2528bb057de2
2020.2.1 HF2No2020.2.15300.12901
         

cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f


         
babf9af689033fa2a825528715ae6dc625619e65610ec1ab7701b410df1e309240343cdf


 



Appendix B: Indicators of Compromise



Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve. Note: removed two IOCs (12.227.230[.]4, 65.153.203[.]68) and corrected typo, updated December 19, 2020; added multiple new IOCs on January 6, 2021 (new IOCs added are at the bottom of the table); corrected typos, added new IOC, and deleted duplicate hash on January 7, 2021.



Table 2: Indicators of Compromise




   
      
         
         
         
         
         
      
   
   
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         
         
      
      
         
         
         
         

         

 IOC 


         
 Type  Notes References  Source 
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 hash Backdoor.Sunburst 
         

https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 


         
 
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bchashBackdoor.Sunbursthttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-   attacks/ 
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0afhashBackdoor.Sunbursthttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ 
13.59.205[.]66IPv4DEFTSECURITY[.]comhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
deftsecurity[.]comdomainDomain malicious on VT, registered with  Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware
         

https://www.virustotal.com/gui/domain/deftsecurity.com/details">https://www.virustotal.com/gui/domain/deftsecurity.com/details



         

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/


         
Volexity
54.193.127[.]66IPv4FREESCANONLINE[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ 
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917chashNo info availablehttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77hashNo info availablehttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3bhashNo info availablehttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0edhashNo info availablehttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 
avsvmcloud[.]comdomainReported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud[.]com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft.  malware callhome, command and controlhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
         

https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/



         

FireEye Report Talos



         

Volexity


         
3.87.182[.]149IPv4Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity.https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
3.16.81[.]254IPv4Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity.https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
54.215.192[.]52IPv4THEDOCCLOUD[.]comhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 hashTrojan.MSIL.SunBursthttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ 
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6hashTrojan.MSIL.SunBursthttps://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ 
8.18.144[.]11IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
8.18.144[.]12IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
8.18.144[.]9IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
8.18.144[.]20IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/Volexity
8.18.144[.]40IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity
8.18.144[.]44IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-
Let's not argue. Let's network!