Two security vendors issued more details about the SolarWinds hack and abuse of its Orion network management platform.
Symantec says the list of malware pieces that could be delivered to victims of the SolarWinds Orion supply chain hack has grown to four. It found the new malware, a backdoor which it dubs Raindrop, was used against a select number of victims that were of interest to the attackers.
Raindrop is a loader that delivers a payload of the Cobalt Strike threat emulation software often used by infosec teams for penetration tests. It joins other malware used by the attackers, including the initial backdoor called Sunburst/Soloriagate and back another door later deposited called Teardrop. The malware used to get into the SolarWinds network is called Sunspot.
Raindrop, Symantec says, is very similar to Teardrop. But while the initial Sunburst backdoor delivered teardrop, Raindrop appears to be used for spreading across the victim’s network. The security firm also notes that its seen no evidence of Raindrop being delivered directly by Sunburst to date. Instead, it appears elsewhere on networks where Sunburst has already compromised at least one computer.
The attack by a threat group FireEye calls UNC2452 — believed by the U.S. to be of Russian origin — compromised updates downloaded by some 18,000 users of the Orion network management platform between March and August 2020. SolarWinds has evidence that the attack on its update mechanism started as early as the fall of 2019.
FireEye today also issued a report saying that the UNC2452 group used its access to on-premises networks to access victims’ Microsoft 365 environment during certain attacks. In addition to issuing a detailed paper describing these attacks and how to harden Microsoft environments, FireEye released a free tool on GitHub named Azure AD Investigator. The tool is meant to help organizations determine if the SolarWinds hackers got into Microsoft 365.
In its report, Symantec describes how Raindrop was used against one victim. In early July 2020, Sunburst was installed through the SolarWinds Orion update, compromising two computers. The following day, Teardrop was added to one of them. That computer was found to have an Active Directory query tool and a credential dumper designed specifically for Orion databases. The credential dumper was similar to, but not the same as, the open-source Solarflare tool.
Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.
One hour later, the Raindrop malware installed an additional file called “7z.dll”. Symantec was unable to retrieve this file because, within hours, a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.
A pattern emerges
A second victim organization seen by Symantec had the Raindrop loader in late May. Several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop on additional computers in the organization.
In a third victim, Symantec says Raindrop was used to install a version of Cobalt Strike that didn’t have an HTTP-based command and control server. Instead, it was rather configured to use a network pipe over Windows SMB (Server Message Block) protocol. Symantec theorizes the victim’s computer did not have direct access to the internet, so command and control was routed through another computer on the local network. Otherwise, the three Raindrop samples seen by Symantec used HTTPS communication.
The report outlines how UNC2452 and other threat actors moved laterally to the Microsoft 365 cloud using a combination of four primary techniques:
- Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
- Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
- Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
- Backdoor an existing Microsoft 365 application by adding a new application or service principal credential to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.
“It is important to note that there is no formal security boundary between on-premises networks and cloud services provided by Microsoft 365,” FireEye warned. “If an organization discovers evidence of targeted threat actor activity in their on-premises network, a thorough review of the cloud environment is often necessary as well.”