SolarWinds: What the Intelligence Tells Us

Posted: 23rd December 2020

The SolarWinds attack has quickly attained status as the biggest hack of 2020. By compromising widely-used IT management software suite SolarWinds Orion, threat actors were able to move across a broader supply chain network. This wide-reaching attack emphasizes the importance of a third-party risk management program. However, many questions about the attack’s impact and prevalence remain.

Here’s a quick recap of the first five days following disclosure of the incident:

December 13, 2020: As part of an internal breach investigation, FireEye indicates SolarWinds is at the root of a major supply chain attack, used in a global intrusion campaign affecting both public and private sector enterprises. Multiple security researchers, journalists, and companies respond, adding opinions and speculation into the emerging incident. Recorded Future’s threat research team, Insikt Group, identified key indicators of compromise from 11 different sources reporting on the emerging threat.

December 14, 2020: A SolarWinds filing with the U.S. Securities and Exchange Commission (SEC) indicates the company has more than 300,000 customers of which 33,000 are SolarWinds Orion product customers and believes fewer than 18,000 customers have an installation of the Orion product that contained the malicious code. Multiple government agencies are named as victims of the attack in a Reuters report.

December 15, 2020: Microsoft and industry partners seize a key domain used in SolarWinds hack to prevent ongoing or last ditch hack attempts. Insikt publishes a note synthesizing new information from five different sources and highlighting newly discovered indicators of compromise.

December 16, 2020: The RedDrip team from QiAnXin Technology release details on SUNBURST domain generation algorithm (DGA) and how it encodes data and exfiltrates the compromised hostname to the command and control servers. Insikt utilizes newly published tools across multiple sources to reverse SUNBURST’s domain generation algorithm (DGA) to identify affected hosts.

December 17, 2020: Unit42 speculates on a second SolarWinds Orion Vulnerability, SUPERNOVA. The threat continues to emerge but few details are known about it’s impact.

Ongoing: Public and private enterprises continue to identify, detect, and protect affected systems to mitigate the risk of a security incident.

What Can Intelligence Tell Us?

Over the course of the last week, we employed a number of different methods to better understand the impact of this attack:

  • Using basic open source intelligence collection such as searching for customer references and testimonials through search engines, one might be able to compile a list of SolarWinds clients. A quick experiment surfaced a testimonials page and a public-facing SolarWinds customer list that named 252 SolarWinds customers and one SolarWinds Orion customer. While cheap, this method provides low visibility and low confidence. The collected intelligence may also be stale.
  • Utilizing our technical collection, Recorded Future correlated scanning data against our Third-Party Intelligence company ontologies. We identified 1,556 internet assets with SolarWinds Orion product indicators on 372 companies. This is a leap forward, providing both broader visibility and a higher level of confidence as correlations are directly tied to the affected product.
  • Employing open source tools, we decoded the SUNBURST domain generation algorithm (DGA) and identified over 1,400 hostname fragments (and increasing). The fragments were matched against our domain ontologies, resulting in 286 candidate domain matches, subsequently relating to 47 companies that are likely to have been affected by the security incident. We cannot at this time determine the scope of the compromise of any of the affected companies.

Does It Stop Here?

The most immediate concerns around SUNBURST are beginning to dissolve as security teams investigate its impact to their organizations. However, a question still lingers: is this just the beginning? Unit42 makes mention of a second SolarWinds Orion vulnerability, SUPERNOVA, and is exploring it further. Unconfirmed reports speculate that credentials to a SolarWinds FTP server were leaked in plaintext on GitHub and provided threat actors with a first point of entry.

In response to recent security events, the National Security Agency (NSA) released a Cybersecurity Advisory on “Detecting Abuse of Authentication Mechanisms.” The advisory outlines a scenario where a threat actor accesses an “on premises” federated environment, subverts single sign-on (SSO) authentication methods, and gains illicit access to a wide range of organization assets. Most notably, the advisory exemplifies a zero-day vulnerability used to compromise VMware Access and VMware Identity Manager servers to accomplish just that. While this isn’t an inherent flaw in federated identity management, it does emphasize the importance on hardening identity management configurations and controls.

If the threat actors behind SUNBURST used exposed credentials to gain access to and ultimately subvert SSO authentication methods, there may be another vulnerability or backdoor just around the corner.

What Does This Mean?

This attack proved that threat actors can and will infiltrate the software supply chain, and we’ll likely see this attack type in the future. Organizations must account for the digital supply chain as part of their attack surface. Additionally, even though an enterprise may not rely on SolarWinds Orion, an organization may still be at risk through third parties.

A proactive approach to third-party risk management is necessary to stay ahead of your supply chain security incidents. However, spreadsheets, questionnaires, and email are often slow and reactive; they don’t enable enterprises to stay current with the rapidly changing threat landscape.

Recorded Future Third-Party Intelligence provides automated visibility at scale to identify risk exposures hidden across the third-party ecosystem so that security and risk teams are able to prioritize and proactively manage third-party risk.

Recorded Future continues to monitor and research this incident, and will provide updates as appropriate. Organizations should refer to guidance published by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), updated disclosures from SolarWinds, and Insikt Group reporting for further information including indicators of compromise and mitigation advice.