Solarwinds Orion Hack December 2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from lawrence systems it is december 14th roughly a little after 9 a.m eastern standard time and time matters because this is what we know right now about this solar winds compromise specifically we're going to start with what got compromised because i think we need to get that away because yes i do use solarwinds but no i don't use this particular product one platform to rule your i.t stack is a great slogan and maybe what attracted these threat actors even more so it attracted them with the fact that this particular tool the solarwinds orion platform is prolific it is used by governments it is used by well most of the companies in the fortune 1000 list probably have this running i believe i seen somewhere 400 out of the 500 fortune 1000 companies have said they run it they've got a really extensive big customer base it is a actually really good product that's also what makes it a really big target now as i stated to our knowledge and as of the time i stated here we know that this was compromised that's a fact right now there is no absolutes in anything but to our knowledge there is been has been no attack on the solarwinds msp tool that is a separate stack a separate tool even though yes solarwinds is a massive big company with lots of employees it doesn't mean if you got into one spot you got into all the spots also what the attackers were after gives us a little bit of an idea of whether or not they're just trying to be some ransomware gang and deploy this or are they trying to be someone who performs espionage more along those lines is what we're thinking here because they did a lot to hide the fact that they did anything a matter of fact this was kept quiet for so long the compromise appears to have happened all the way in march 2020 and we're only finding out about it now in december they've done everything they can these threat actors to keep this under wraps now they're burned and now everyone's reversing figuring out where this attack occurred going through logs finding out any of the stuff and that's what we're going to dive into is what this attack is so as i stated it does not appear to be anything related to the solarwinds msp it is very and very focused because solarwinds actually has a large array of products it is very focused on one specific product and matter of fact a very niche inside that product compromise that is very careful about the targets it chooses let's dive into this fireeye has an absolutely solid and detailed write-up so that's a great place to start here not any of the news that well doesn't always understand technology the people of fire i get it and yes i'm aware they got it a few days ago but that doesn't mean that they don't still do really top-notch research despite the fact that they themselves were the subject of a cyber security incident they're also a big company they do really good intel work therefore they got a big target on their back as well doesn't compromise the fact that their research is a really solid write-up here highly evasive attacker leverages solar wind supply chain to compromise multiple global victims with sunburst backdoor i like the name sunburst you know playing on the solar winds they have an executive summary we have discovered a global intrusion campaign we are tracking these actions behind the campaign as unc when you don't know attribution a name and numbers assigned and now all the fun of attribution starts and i say fun of that because it is a very speculative in the beginning you have to look at what they're after where they came from how they obscured things maybe some code signatures and you know it's not an easy thing doesn't mean infosec twitter is not having a great time speculating and pointing fingers um and posting memes and elements to participating in that but we're gonna stay with the facts over here at fireeye and we're gonna list microsoft as a source as well fireeye discovered a supply chain attack trojanizing solarwinds orion business software updates in order to distribute malware we call sunburst now specifically this was in the updates we don't know that they got inside of and compromised let's say an employee at solarwinds we don't know if they compromised an employee's computer and injected things in there there's a lot of speculation around that and it's not going to come out right away exactly what happened it's going to take some time some investigation they want to be very very thorough because you really don't want to blame an employee for a global attack when maybe just their computer was compromised maybe something happened in an individual but obviously supply chain attacks are really tough to do and really tough to defend against as well and what i mean by that is any well-funded threat actor can't actually just buy off employees not everyone and people have high standards and morals and it's not as easy as people might think but if you have a disgruntled person there yeah that's obviously a potential we've seen this happen to tesla earlier this year when a million-dollar bounty was offered to someone inside to compromise tesla's systems and even gave him a ten thousand dollar deposit now the good news is we know about this because the person also contacted authorities and busted the threat actor trying to espionage them uh but these attacks are real they happen and sometimes we don't know when they happen to someone just exfil data and it was an espionage because it wasn't used for an attack so it happens quietly when you don't even know this is actually crazy because it happened like i said all the way in march of 2020 and here we are in december just now talking about it now all the updates and signatures are out so if you haven't updated go update and your security tools stacks should be finding all these as well now let's dive into a little bit of what this does and why it was so hard to detect because a lot of people are wondering why it was so hard and we'll dive into there's actually a lot of trickiness because they did a lot to evade any type of detection fire eye uncovered widespread campaign that we are tracking as unc 2452 actors behind this campaign gained access to numerous public and private organizations around the world they gained access efficient victims via trojanized updates to the solarwinds orion it monitoring and management software the campaign may have begun as early as spring 2020 and is currently ongoing post-compromise activities following supply chain compromise have included lateral movement and data theft the campaign is the work of highly skilled actor and the operation was conducted with significant operational security as in they don't know who these people are and it's really crazy how much obscurity we'll get into that in a second but the back door itself you're wondering why why didn't the antivirus companies just pick up some change in a file and this is the answer right here is the digital signature information the digital sensor is okay that is not what you want to hear when you know something is a known vulnerability and known compromise trojan backdoor so this right here is the fact that they stole access they were able to get signing so they could sign the code that was malicious as if it was from solarwinds this is why it's referred to as a supply chain attack because that trust from the solar wind cert came down and you go i can just trust it it's from solarwinds a company that well we didn't know was compromised and this is actually true for all the different signing certificates matter of fact there's been other times when people work really hard to get these signing certificates and there's been some compromises when someone figured out a way to fool it before in microsoft it while back and that's why that was such a serious vulnerability itself because once it's been signed that kind of puts it to rest that we know whatever code is in there because it's closed source and we don't really know what it's doing we can only look at its behavior but that's not reason to flag it we said they signed it they are a trusted source therefore we'll trust them this is the same reason you let employees and they're trusted you let them in you don't let the general public wander around in your network same thing it's kind of the same concept now let's get in depth on the malware analysis solarwinds orion core businesslayer.dll is a solarwinds signed plug-in component of the orion software framework that contains an obfuscated back door with communications via http to third-party servers after initial dorm period of up to two weeks it retrieves and executes command called jobs that include the ability to transfer and execute files profile the system and disable system services the backdoor's behavior and network protocol blend in with legitimate solar winds activity such by masquerading as a solarwinds orion improvement program protocol storing reconnaissance results within the plug-in configuration the back door uses multiple block lists to identify forensic and anti-virus tools via process service and drivers now that's something really to think about here because the question will become well don't people monitor the perimeter in what they refer to as the north-south of all the ingress and egress traffic and look for you know some weird domain being used not so easy one the volume of information is absolutely incredible now as soon as someone finds out a c2 a control server is compromised as bad like we know that this is a bad ip address where data goes or a bad domain name where bad data goes oh yeah that gets in the list but what if you don't know what if this tool one it sits for two weeks without doing a thing so if you want to even play with this right now if you wanted to download it and load it on your computer it sits for two weeks without doing anything so that's going to make it kind of hard there's timers on it it looks for other antivirus tools it probably has a lot of anti-sandbox detection tools and this is what we're seeing in really advanced malware where it determines if it's in a researcher's lab or if it's actually on a important network where it wants to do its thing therefore it's hiding and really hiding well where unless we have a signature to identify it it's just a normal dll file that actually because that dlfile still does its normal things there's no reason to think it's compromised this is a really skilled threat actor to be able to do this this is like checking a lot of boxes and someone may wonder why did it do http traffic well some monitoring systems just really simply send out http traffic because it looks less suspicious because there's no signing search it just sends out some data and it looks like some type of analytics data and we know our tools send a lot of analytics data sometimes they have to send analytics data before all of you say well shouldn't you turn all analytics data sent by these tools out no this is still part of the tool improvement program and obscuring it kind of flowed in the same stream as that pretty good way to hide it and also why this took so long to do so domain names generation algorithm is performed by dns requests senior responses point to the c2 domain of the malware to connect to the ip block of an a record responds and controls with for the middleware's behavior command to control traffic masquerades as a legitimate orion improvement program code hides in plain sight by using fake variable names and tying into legitimate components that's just yeah sending out data that even looks like solarwinds orion data so if you did some traffic inspection yeah that's just some analytics data just like the other analytics data that came out of the same tool the same program this is really wow i mean that's that's really interesting now one thing i did dive into a little bit here and this is a graph i created over at virustotal leave a link to this as well here is the root node where we started with abs and cloud and what these are is things like re relation to historical things such as who is over here so here's the who is who is says this was actually registered in 2018 725 so we're talking july of 2018 as registration and each one of these represents registration updates which include registration updates all the way to here now if you look at the admin email for domains by proxy it seems to indicate obviously they obscured everything this isn't their email address but if i'm not mistaken they create a unique one for each so these are different times when things were changed and moved for this particular domain so this takes a lot of careful planning this is an attack that's going on for years with little grains of sand to build up to where we are today and i'll leave a link to i said you can go through and see some of the different ip addresses that point to historically some of the different places and if you're wondering yes it did happen to connect to microsoft corporation based on this and i don't have the full history this is something microsoft has to answer they probably moved it around between different servers and there's no reason not to host something like this in one of those major cloud companies because well that's how you obscure it it's going to normal places that you expect data to flow to because lots of people run workloads inside of azure and uh it's creating different dns entries that's what these are here is the different dns entries that were created my guess is each day nationally you probably had the relation as far as from the threat actor standpoint to the different compromised places and the way they wanted to dig into information on that let's go back over to the write-up now the delivering installation was through an update that's important because when it would pull this update it would grab that file that one we talked about here authorized systems administrator fetch and install updates to solarwinds orion via packages shared by solarwinds website the update package core 2019 etc and that's how they got on there and then the initialization on execution of the malicious solarwinds code and then the sample only executes if the file system right time of the assembly is at least 12 to 14 days old like i said just sits there for two weeks then we scroll down to the dga the block list the command and control the steganography this is where things get obscure because this is where fireeye did a great job of listing this out in observation traffic these http responses bodies attempt to appear like benign xml related to the net assemblies but command data is actually spread across many guid and hex strings present basically they're sending regular data and then they're hiding a few things this is the debrief of what they reverse engineered of what each of these do from the command control server so you're hiding a bunch of data and then you know dropping a little bit of commands back and forth in there so it looks like completely benign things with a view extra and who has not looked at something in your xml data that goes you know there might be something extra in here i don't know i understand this part of the xml but i don't know the developer clearly had some other piece in here and that's that other pieces turned out to be the command and troll and they break down some of the other pieces acknowledgements and and those details now let's go over to microsoft and i mentioned to write up what did they actually go after and this is where things got a little bit scary because they were using this saml and for those who don't know what saml is really briefly security assertion markup language tokens in xml representation of claims it's a way to mint security and then build trust around that so it takes high levels of privilege to do this people of high level privilege run orion therefore they meant to saml and then they build these tokens and then set those expiration dates to people to have access to other things this includes forging a token that claims to represent a highly privileged account and azure ad this is where things get really scary because it's not like they're just taking over local they're also moving into any of the cloud workloads that these places have that have been compromised with orion so this is a really in-depth building long-term access and it gets a little bit harder because how are you going to know what happened if you suddenly find a new user you're like oh there's a new user i wonder who did that we start logging it but if we don't understand the source of that user you could remove that user and then that user shows up again after some period of time which or a new one and that becomes a really confusing part of the way this is done because if you didn't know the solar winds tool is compromised you're not sure where that's happened so there's all these little suspicious things and this is really a challenge to find this and this is why this was so hard to validate and of course they have recommended defenses they have an update same thing that you have for the write-ups and the same solar winds compromises are listed here in microsoft that were listed over on fireeye now another thing i will point out which is right here and this was nine hours ago as i said time is of the essence uh this is only one engine detecting it on virus total and let's refresh the page now we're at 22 engines detected as of right now at 9 45 a.m est so it is making the rounds making the news all the antivirus engines are getting updated very quickly to look for this to find this there's going to be tons of people digging through their logs i know a few people that are stock analysts as in security operations centers and these places keep mass amount of logs they're going to go and reverse looking through this and determine you know where all these things did we have any lookups in there do we not know were we part of this compromise it's a pretty big deal and it's really shakes the heart of the it industry when a product the scale and scope of solar winds orion that is used as i said the beginning in many many companies gets compromised so i plan to do more videos on this or at least tweet about it and more updates if we learn something new that is you know of value of information but as i stated kind of a summary we don't know of any of the solarwinds msp tools that i use being compromised just the fact that solarwinds at all had an issue of course gets my ears going going what huh you know let's dig into this um i feel pretty confident that they have a good team internally and that this was a such a high level actor it's not like it was just some kid compromising it seems very unlikely at this point right now especially at the layers that they did this of levels of obfuscation how difficult this attack probably was to pull off and that they've done everything they can to really really make it hard to evade detection now exactly how they're discovered if someone actually asked me that i don't know that for certain right now i think that'd be interesting but fireeye certainly has some really deep insight and it takes some really talented threat researchers and trust me the community i've been talking with some of them since early this morning people like kyle whose uh tweet i had shared over here uh kyle over at hunter's lab trust me all all the big names in security all of them are working together against this threat actor whoever they might be uh the team's in full force and people way smarter than me are working and digging into this and uh tweeting it so uh file cal file you know some of this hashtag summers you'll find some more information um it's gonna be interesting and thanks i'll leave links to everything i talked about and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to laurensystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.lawrences.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time you
Info
Channel: Lawrence Systems
Views: 85,223
Rating: 4.936398 out of 5
Keywords: lawrencesystems, solarwinds orion, solarwinds hack, solarwinds, orion, solarwinds orion hacked, solarwinds orion hack explained, insider threat solarwinds, fireye sunburst, fireeye, cybersecurity, hacking, security, solarwinds sunburst
Id: aKhfL9IP6DI
Channel Id: undefined
Length: 18min 18sec (1098 seconds)
Published: Mon Dec 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.