Site icon IT World Canada

How the SolarWinds hackers managed to conceal their movements

Computer Screen Code View

How did they get away with it? That’s the question many infosec pros are asking themselves after the stunning revelation that a threat actor was able to compromise the SolarWinds Orion updating mechanism to install backdoors into the network management software platform.

The answer, Microsoft said in a blog this week, was by “painstaking planning of every detail to avoid discovery.”

Also:

Joe Biden’s cybersecurity priorities: Fixing damage from SolarWinds attack, working with allies

 

One missing link in the attack, according to researchers, is the handover from the initial DLL backdoor into SolarWinds called Solorigate by Microsoft (or Sunburst by FireEye) to the subsequent Cobalt Strike exploitation implants in Orion, dubbed Teardrop and Raindrop. The questions are: What code gets triggered, and what indicators should defenders look for?

“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection,” the researchers wrote.

First, to give perspective, a timeline:

Assuming the Solorigate backdoor was designed to stay dormant for at least two weeks, Microsoft suggests that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. That’s why it believes hands-on work by the attackers started in May.

“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets,” Microsoft suspects. At that point their objective shifted to being operational on selected victim networks, continuing the attack with a hands-on-keyboard activity using the Cobalt Strike implants.

The Solorigate backdoor only activates for certain victim profiles, researchers found, and when this happens, the executing process creates two files on disk: a VBScript, and a custom Cobalt Strike loader for each victim. At this point, the attackers were ready to activate the Cobalt Strike implant.

“However, the attackers apparently deem the powerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s execution from the SolarWinds process as much as possible. Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.”

The attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger registry value for the legitimate Orion process dllhost.exe. This is a known MITRE ATT&CK technique used for persistence, but it could also be abused to trigger the execution of malicious code when a certain process launches.

Once the registry value was created, the attackers simply waited for the occasional execution of dllhost.exe. That triggered a process that ultimately launched the Cobalt Strike loader using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution and deleted registry keys related to HTTP proxy.

Among other tricks, the attackers used these sneaky tactics:

In a blog today, Joe Slowik, a senior security researcher at Domain Tools, suggested the Microsoft conclusions of numerous evasive techniques suggest that looking for indicators of compromise to detect attacks like this will fail. Instead, he said, infosec pros should think about incorporating signs of unusual internal network behaviour with evidence of unusual external communications.

“For example, rather than simply responding to any instance of ‘new’ network items observed, organizations may limit this response to critical services, servers, or network enclaves (e.g., the subnet containing numerous infrastructure devices),” he wrote. “Proper network segmentation, asset identification and asset tagging to identify critical items, such as SolarWinds Orion servers or various items such as email servers or Domain Controllers, can allow for focused response when a significant asset initiates a previously unseen external connection.

“The theoretical alerting scenario … where internal and external enrichment are combined to yield high-confidence, high-fidelity alarms, may appear out of reach for many organizations–but given advances in adversary tradecraft, it represents where we as defenders must drive operations. Although initially difficult to create, given both the network engineering and segmentation requirements for an accurate asset or network enclave detection, as well as the establishment of logging and enrichment pipelines for observed network indicators, once in place, an organization will find itself on a much more robust and powerful security footing.”

Exit mobile version