SolarWinds.Orion.Core.BusinessLayer.dll is a file name that shall live in infamy. A highly sophisticated attacker apparently compromised the SolarWinds build process and inserted a backdoor into this DLL upstream from it being digitally signed with SolarWinds code-signing certificate. Then it was distributed as part of the Orion product to up to potentially 18,000 customers. Orion was an attractive target for this supply chain attack because systems monitoring software often communicates with and potentially has privileged access to every system on a network worth monitoring.
This is not the first time a software company—and their customers—have been victimized this way. Two that immediately come to mind are M. E. Doc and Adobe. M. E. Doc is more like SUNBURST because it too resulted in the software company being the unwitting distributor of malware. In the Adobe debacle, their code-signing server was compromised and used to digitally sign malware but no malware was inserted into products shipped by Adobe. Back in 2012, I blogged about this incident and said “it couldn’t be long before bad guys exploited the update infrastructures of other vendors.” Supply chain attacks have continued and this is the scariest one yet.
In this real training for a free event, we will take you on a deep dive into SUNBURST and share everything we know including how:
- The attackers compromised the Orion build process to trojanize SolarWinds.Orion.Core.BusinessLayer.dll
- The malware works once it is deployed by a customer
- SUNBURST sits tight for a few weeks and then attempts to stealthily make contact with its controllers
- If directed, it then proceeds to move laterally through the network using a number of credential theft and impersonation techniques
Bring two tanks for this dive because senior security researcher, Chad Anderson from DomainTools, will then take over and dissect SUNBURST’s C2 network traffic. There is a wealth of knowledge to be gleaned from this exploration.
- You will learn how SUNBURST tries to quietly find its C2 server using DNS infrastructure and communicate with it.
- We will explore how SUNBURST attempts to blend in by appropriating Orion Improvement Program protocol for its own use as a “cover” protocol for encapsulating its C2 traffic.
The primary opportunity and responsibility for stopping supply chain attacks is the software vendor which behooves them to protect their code-base, build and code-signing processes and distribution infrastructure like the proverbial Fort Knox. And I think SolarWinds and most enterprise software companies realize this.
But back in 2012 I also observed: “We can’t trust them to keep their infrastructures secure. After all, everyone is vulnerable to advanced persistent threats (APTs). But when companies are hacked it’s usually their own data that gets compromised. But with ISVs, it’s their users. Like one of my community members said, “if your ISV sneezes you get the pneumonia.”
So, what can we do on our end of the supply chain? That’s something else we will discuss. Here’s a preview from security research by Chad’s colleague Joe Slowik:
“Monitoring is even more powerful when tracking external communications is combined with internal system awareness to quickly disposition what hosts are communicating to outside entities. In the case of the SolarWinds Orion software, identifying traffic from this service or its hosting device to new, unusual domains—even if using communication patterns similar to Orion telemetry—can rapidly identify connections that are abnormal and worth further scrutiny.”
DomainTools will finish by conducting further analysis of the SolarWinds supply chain incident within the Iris investigation platform.
Please join us for this real training for a free event.