As more CISOs using SolarWinds’ Orion network management suite investigate the possibility of infected updates, Microsoft this morning began blocking applications with malicious SolarWinds binaries, a move that may cause headaches with other software, servers and PCs.
Microsoft Defender Antivirus is now putting those malicious binaries into quarantine, even if the process is running. “We also realize this is a server product running in customer environments,” Microsoft said in a recent blog post. The company added, “it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.”
Specific recommendations include:
- Immediately isolating the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
- Identifying the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigating how the affected endpoint might have been compromised.
- Investigating the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
If service interruption is not possible, Microsoft said, its customers must act to exclude SolarWinds binaries. This should be a temporary change that you should revert as soon Orion has been updated with fixes from SolarWinds or complete an investigation.
However, Ed Dubrovsky, managing partner of Toronto-based incident response firm Cytelligence, urged organizations with Orion not to shut down their network monitoring capabilities. “At a time when cyberattacks are at a pandemic level, you do not want to go blind. However, implement some controls around what Orion is allowed to do and communicate.” That includes:
- Ensuring you understand what domains the backdoor is calling out to, and block these. There are plenty of other articles speaking about the technical aspect of the vulnerability.
- Patching the software and monitor for additional patches that will likely be released shortly.
- Begining an investigation going back to early this year, to assess whether your organization was actually compromised and whether any other persistence mechanisms were installed or whether the lateral movement can be identified. If any signs of intrusion are identified, get a DFIR firm involved to assess the damage and preserve artifacts.
On Tuesday, SolarWinds released the second hotfix for Orion after the company acknowledged over the weekend Orion software builds for versions 2019.4 through 2020.2.1, released between March and June had been compromised to allow the installation of a backdoor. The company has a FAQ page here.
SolarWinds estimates that of the 33,000 customers that use fewer than 18,000 installed the bad update. News reports also suggest those who created the malware exploited a small number of that. However, victims are believed to include some U.S. government departments and major companies such as cybersecurity firm FireEye.
Microsoft dubs the malware Solorigate. FireEye calls it Sunburst and issued a detailed examination of how it is exploited.
The Canadian Cyber Security Centre urges CISOs to follow the following FireEye advice: Ensure that SolarWinds servers are isolated and contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
- If SolarWinds infrastructure is not isolated, consider taking the following steps:
- Restrict the scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
- Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers/infrastructure. Based upon further review/investigation, additional remediation measures may be required.
- If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
According to ZDNet, Microsoft, FireEye and GoDaddy seized and shut a domain used by the malware to communicate with a command and control server. That stops the attackers from using that domain to communicate with infected servers. In a statement FireEye called this a killswitch. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”
The SANS Institute also said there are lessons for CISOs who are running any network management system, including making sure that you’re not using domain accounts where unneeded, and that services can only reach necessary components, including restricting Internet access to only where explicitly needed.
Meanwhile, the Washington Post ran a story questioning why the U.S. government’s vaunted Einstein intrusion detection platform missed the exploitation. Einstein is run by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The story says agency officials told congressional staff Monday that the system did not have the capacity to flag the malware that was signalling back to its masters.
In addition security vendor Volexity recounts its work fighting an attacker at an unnamed U.S. think tank that used Orion which may shed more light. Volexity worked three separate incidents involving a group it calls Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July of this year.