Cyberattack response: How organizations can manage the SUNBURST hack

What is SUNBURST?

SUNBURST is a trojanized dll implanted into recent updates of the SolarWinds Orion platform that created a backdoor into the affected system. It’s unclear how many of SolarWinds’ 300,000 customers’ systems may have been attacked, but it appears the attack stretches back months. But based on the level of sophistication of the attack, it is believed to be an attacker targeting specific government and critical infrastructure organizations as well as businesses with valuable intellectual property.

SUNBURST risk to organizations

The SUNBURST exploit is believed to be attributed to a state-sponsored level attacker. It is believed the attackers are targeting valuable intellectual property resources and government intelligence information. The attacker is thought to be focused on organizations in following industries: pharmaceutical research, government intelligence, aerospace, oil and gas, and other critical infrastructure.

The attacker is not thought to be financially motivated by utilizing ransomware or data extortion. As such, there is a low risk of impact for the majority of affected organizations that do not contain data relating to those activities.

What products are affected?

• SolarWinds Orion Platform
• Versions
  • 2019.4 HF 5
  • 2020.2 (no hotfix)
  • 2020.2 HF 1
    

How to check version and hotfixes

• Version Check
• Hotfix check

SolarWinds recommended mitigations

• If using versions 2020.2 (no hotfix) or 2020.2 HF 1:
  • Upgrade to Orion platform version 2020.2.1 HF 1
  • Available here
• If using version 2019.4 HF 5:
  • Upgrade to Orion platform version 2019.4 HF 6
  • Available here
• A new Hotfix, 2020.2.1 HF 2
  • This will include fixes for the compromise as well as additional security enhancements
  • Available here
• Instructions for mitigating effects if Hotfixes cannot be applied right away:
  • Available here

Additional West Monroe recommended mitigations

• Isolate SolarWinds servers and infrastructure until further remediation can be done. Block all outbound internet connections from associated systems
• If SolarWinds infrastructure cannot be isolated:
  • Restrict connections to endpoints from SolarWinds servers
  • Restrict accounts that have administrative privileges on SolarWinds servers
  • Block outbound internet connections from servers and other endpoints with SolarWinds software
• At a minimum, change passwords for accounts that have access to SolarWinds servers and infrastructure. Ideally, perform a full reset of all credentials in the environment and a double reset of the KRBTGT account password

SUNBURST attack kill chain details

Delivery

• The SUNBURST exploit was delivered via trojanized updates to the SolarWinds Orion Platform
• These updates were posted on the SolarWinds update website with valid digital signatures from March to May 2020

Exploitation

• The specific exploit used was a trojanized dll hidden in Solarwinds Orion updates
• Dll name: SolarWinds.Orion.Core.BusinessLayer.dll
• Dll MD5 Hash: b91ce2fa41029f6955bff20079468448
  

Command and control

• Upon installation, the malicious dll will lay dormant for two weeks before making a DNS query for avsvmcloud[.]com
• This DNS query will return information on the SUNBURST Command and Control infrastructure