SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?

[German]Suspected state hackers have succeeded in tampering with SolarWinds' widely deployed networking and security products worldwide. Through a supply chain attack, a Trojan or the SunBurst backdoor was rolled out with a software update.


Currently, it can be summed up in one sentence: The house is on fire. The SunBurst backdoor enabled the hack at FireEye that captured their Red Team tools. I had reported on the attack in the blog post FireEye hacked, Red Team tools stolen. A few hours ago I reported on the hack of the U.S. Treasury Department and another U.S. Department of Commerce agency (see US Treasury and US NTIA hacked). Now it is crystallizing that the attacks are probably also via a backdoor in SolarWinds products.

SolarWinds products with SunBurst backdoor

Evidence suggests attackers manipulated a software update from Texas-based IT infrastructure provider SolarWinds in the early 2020s through a supply chain attack to penetrate government agency systems as well as FireEye.

SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including top enterprises, government agencies and educational institutions.

SolarWinds also serves the major U.S. telecommunications companies, all five branches of the U.S. military, and other prominent government organizations such as the Pentagon, Department of State, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

CISA warning about SolarWinds products

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 Sunday evening (2020/12/13). This was in response to a known compromise of SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1 are affected) that is currently being exploited by government hackers. The existence of the following files (on Windows) indicates a compromise:


a. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448].

b. [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

The compromise allows an attacker to gain access to network traffic management systems. The CISA emergency directive asks all federal civilian agencies in the U.S. to scan their networks for signs of compromise and to immediately disconnect or shut down SolarWinds Orion products.

FireEye and the UNC2452 Campaign

Hacked security vendor FireEye reports in this article about a widespread campaign, called UNC2452, led by state hackers. As part of this, FireEye discovered a supply chain attack on SolarWinds Orion business software. Earlier this year, Trojanized updates were probably delivered to systems running this software. Through these updates, hackers are able to distribute malware that FireEye calls SUNBURST. After compromising the devices, the attackers use multiple techniques to evade detection and disguise their activities. The campaign is widespread and affects public and private organizations around the world.

The SUNBURST Backdoor

The CISA warning against SolarWinds products already mentions the SolarWinds.Orion.Core.BusinessLayer.dll file found on Windows systems, where the software has been installed. SolarWinds.Orion.Core.BusinessLayer.dll is a digitally signed component of the Orion Software Framework by SolarWinds. Compromised versions contain a backdoor that communicates with third-party servers via HTTP.

SolarWinds digital signature on software with backdoor, Sourde: FireEye

After an initial dormancy period of up to two weeks, it retrieves and executes commands called "jobs," which include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware disguises its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results inside legitimate plugin configuration files. This allows it to blend in with legitimate SolarWinds activity to avoid detection.

The backdoor uses multiple obfuscated blocklists to identify forensic and antivirus tools running as processes, services, and drivers. Details on how to detect the malware, as well as a deeper analysis, can be found in the FireEye article. Addendum: Microsoft has also released a Customer Guidance on Recent Nation-State Cyber Attacks with further details.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *