News in the fight against SUNBURST infection, domain seized

[German]The knowledge about the cyber attack against US authorities and companies via the SUNBURST backdoor is growing. The U.S. State Department and other government agencies may have been hacked as well. Meanwhile, Microsoft and other industry partners have seized the domain with the C&C server and hope to be able to track down infected systems.


Worst case for SolarWinds and for the USA?

The visible tip of the iceberg is getting slowly bigger. The affair was triggered after the hack at security vendor FireEye became public known a few weeks ago. I had reported about it in the blog FireEye hacked, Red Team tools stolen because the hackers looted that company's Red Team tools. Security vendor FireEye was able to uncover a widespread hacking campaign, dubbed UNC2452. The company then raised the alarm with U.S. security agencies and intelligence agencies, which prompted a closer look.

That's because the suspected state hackers had landed a coup: In a chain supply attack, they were able to compromise the update process of the software manufacturer SolarWinds. A DLL file infected with a Trojan was delivered to customers by SolarWinds with updates to its Orion product range. This is a monitoring software for Windows that can be used to monitor an IT infrastructure (including databases) and its networks. I had picked up some details in the blog post SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?

Now things a growing. A few days ago it was announced that the US Treasury (US Tresury) and the NTIA (National Telecommunications and Information Administration) had been hacked. The NTIA is a department affiliated with the Department of Commerce that is also responsible for the Internet. I had reported on these two cases in the blog post US Treasury and US NTIA hacked.

At that point, it was already clear to me that it wouldn't stop there. After all, in addition to U.S. companies from the Fortune 500, SolarWinds also supplies the major U.S. telecommunications companies, all five branches of the U.S. military and other prominent government organizations such as the Pentagon, the State Department, NASA, the National Security Agency (NSA), the U.S. Postal Service, NOAA, the U.S. Department of Justice and the Office of the President of the United States. NATO and co. are also among them.

Then it became known that the U.S. Department of Homeland Security (DoH) had also been hacked. The attackers were able to track the agency's email traffic for months without being noticed. I see from the CNet post here that the list of hacked US agencies is growing. The US Department of State (State Department) and the US Department of Defense (Pentagon) have also been 'graced'. ZDnet lists the following agencies as hacked in addition to FireEye:

  • The US Treasury Department
  • The US Department of Commerce's National Telecommunications and Information Administration (NTIA)
  • The Department of Health's National Institutes of Health (NIH)
  • The Cybersecurity and Infrastructure Agency (CISA)
  • The Department of Homeland Security (DHS)
  • The US Department of State

It is unclear how many systems with which products are still affected. Via Facebook I received the following statement from SolarWind to customers.


Dear Solarwinds partner

Our vendor SolarWinds MSP has informed us that there has been a hacker attack on the SolarWinds Orion platform. We do not use this product in our offering.

There is – as of today – no indication that your Solarwinds MSP products are

products are affected and use modules from the Orion platform.

Therefore, Solarwinds believes that your and your customers' data is still safe.

As far as we know so far, only SolarWinds Orion products in versions 2019.4 to 2020.2.1 HF1 are affected (see also SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?). This is also the tenor of the following tweet.

Von SUNBURST betroffene SolarWinds-Produkte

Brian Krebs has cited the figure of 18,000 potentially affected customers in this article (he refers to a SolarWinds notification to U.S. regulators where this figure was cited). Symantec reports in this blog post that it has identified more than 2,000 computers on over 100 customer systems that received the infected SolarWinds Orion updates. However, Symantec's security software has so far been unable to detect any malicious effects. 

Disaster for SolarWinds, Shares sold early

In a post that has since been deleted (see also), SolarWinds was still boasting of its strength, and that hardly anyone could get past its products. The article contained the following information:

SolarWinds' comprehensive products and services are used by more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions. Our customer list includes:

  • More than 425 of the US Fortune 500
  • All ten of the top ten US telecommunications companies
  • All five branches of the US Military
  • The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
  • All five of the top five US accounting firms
  • Hundreds of universities and colleges worldwide

Then a partial client list followes,that includes the who's who of the institutional and business world (see the following screenshot.

SolarWinds Teilkundenliste
(SolarWinds customes, deleted from SolarWinds web site)

Of course, the list does not mean that these customers also use Orion products and are infected. But in these companies, I would still worry as an IT manager.

Reuters reports here about  an Oct. 27, 2020, conference call that the company's retiring soon CEO, Kevin Thompson, held with analysts in 2021. There, Thompson boasted that there was no database or IT implementation model for which his Austin, Texas-based company did not provide some level of oversight or management. "We don't think anyone else in the market is anywhere near as broad as we are," Thompson said, "We manage everyone's network equipment."

Now that dominance has become a liability, and SolarWinds software has become toxic. That's because the successful attack on the company's supply chain has struck at the heart of its clientele and, by extension, U.S. government agencies and companies. Meanwhile, the 'dirty sides' of the story are also coming to light.

SolarWinds Investor-Exit

The top two investors, Silver Lake and Thoma Bravo dumped shares worth $286 million. But they did so on Dec. 7, 2020, six days before the hack became public. That should trigger investigations into insider trading. Brings back memories for me of the Equifax hack, where a board member went to jail.

Countermeasures by Microsoft and SolarWinds

Meanwhile, SolarWinds has released patches, that should remove infected DLLs. And Microsoft has added the appropriate signatures to Defender and will quarantine compromised SolarWinds Orion files (see also the following tweet).

Defender erkennt Suburst-Malware

The original announcement including Microsoft's notices can be read here – Bleeping Computer addressed it here. And there is another action against the SUNBURST malware: Microsoft, together with industry partners, has had the domain of the C&C server seized. This is reported by ZDNet with reference to its own sources in this article. The domain in question is avsvmcloud[.]com, which served as the command-and-control (C&C) server for the SUNBURST malware and was registered to Go Daddy.

By seizing the domain, Microsoft and its partners hope to identify all victims. And there is hope that by doing so, they will prevent attackers from using the backdoor to expand their attacks on already infected networks. Whereas I have quiet doubts that this measure will be crowned with success for systems that have been taken over. I may be wrong, but I would have expected the attackers to have set up additional backdoors in the Active Directory structures in question long ago.

Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *