SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail

[German]Small additions in the matter of hacking of companies and US authorities by the SUNBURST malware delivered via update for the Orion software. There is an analysis tool SolarFlare, to determine what permissions the Orion software had. The domain of the hackers with the C&C server has been taken over – Microsoft and FireEye have established 'a killswitch'. And the software Einstein, which was developed at a cost of billions, did not notice anything about this hack.


Here in this post I summarize some point regarding the hack of various companies and US authorities by the SUNBURST malware. Hackers were able to inject the SUNBURST malware into updates of the SolarWinds Orion product line. It is now clear that the attackers must have had access to the source code base of the US security vendor SolarWinds (see SUNBURST malware was injected into SolarWind's source code base). For months they prepared the infiltration of the Trojan, which acted as a backdoor, and injected it into the source code. You can read details in the blog posts linked at the end of the article.

C&C domain takeover completed

In the blog post News in the fight against SUNBURST infection, domain seized I had indicated that Microsoft and industry partners (GoDaddy as the registrar and FireEye as the analysis company) were working on the takeover of the domain containing the Command & Control server. This German comment (thanks for that) references the recent article by Brian Krebs. Krebs now confirms the domain takeover and quotes a response from FireEyes:

SUNBURST is the malware that was distributed through SolarWinds software," FireEye said in a statement shared with KrebsOnSecurity. "As part of FireEye's analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.

Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.

This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.

This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST.

It is important to note the last sentence in the above statement: This killswitch does not lock the attackers out of the network of the hacked victims. This is because they have long since taken further measures to continue accessing the infected systems. The best hope, is to be able to identify and notify the victim systems via the communication attempts and the IP used in the process. So there is still a lot of work to be done by forensic experts and administrators.

SolarFlare analysis tool

Those who have used the Orion software with the compromised updates on their systems cannot avoid a forensic analysis of the systems and the network. It would be good to at least have an overview of which systems the Orion monitoring software had access to in the first place. In the following tweet, Catalin Cimpanu points out the new tool SolarFlare, which can be used to read out all login data from the Orion software. This makes it possible to check what might have been compromised by hackers.

Analyse-Tool SolarFlare


Administrators would then have the option to change the passwords for all affected accounts. The software is described here and can be obtained on GitHub.

EINSTEIN monitoring system failed

EINSTEIN is a CISA (Cybersecurity and Infrastructure Security Agency),  intrusion detection system that monitors U.S. federal agency networks. This intrusion detection system was developed with billions of dollars. In the back of my mind, I think I once made a post here on the blog about EINSTEIN, but I can't find it anymore. A little can be found out about this CISA page.

The Washington Post reports in the article The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it , that the U.S. government spent billions on a system for detecting hacks. And then the Russians simply outsmarted this great system (if you find schadenfreude in this sentence, you can keep it).

The hack only blew up when the suspected Russian hackers couldn't resist helping themselves to the crown jewels of security firm FireEye. Namely, they copied and ripped off their Red Team tools during the hack. In the analysis that followed, FireEye got on the trail of the espionage campaign (I had reported details here on the blog in the articles linked below).

The article quotes CISA spokeswoman Sara Sendek as saying that the 'breaches' date back to March and were not detected by any intrusion detection or prevention system. Once CISA received tips about the activity, it invited them into Einstein to help identify breaches on government networks. The Washington Post writes: Einstein, run by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), was not equipped to find novel malware or Internet connections. Reminds me of the old technician's adage 'he who measures, measures crap'.

A 2018 Government Accountability Office report arguably recommended to officials that developing such a capability might be a wise investment. Security company intrusion monitoring systems also use these capabilities to detect malware and intrusion attempts. Communication attempts with unknown IP addresses can also trigger an alarm – EINSTEIN was blind on this eye.

The Washington Post quotes Thomas Bossert, a top cybersecurity official in both the George W. Bush and Trump administrations, as saying, "It's fair to say that Einstein was not properly designed. But that's a failure of management." The article quotes Thomas Bossert, who worked on the original Einstein concept in the George W. Bush administration, as saying: The [original] idea, he says, was to place active sensors at an agency's Internet gateway that could detect and neutralize malicious command-and-control traffic. "But the Bush, Obama and Trump administrations never designed Einstein to reach its full potential."

I found the sentence 'But the months-long hack of federal networks that has been uncovered in recent days has revealed new vulnerabilities and underscored some already known ones, including the federal government's dependence on widely used commercial software that offers potential attack vectors for hackers […]' quite interesting. This warning does, after all, exist in Germany … occasionally even here on the blog – but no one wants to hear it, because they rely on 'one standard'.

Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware was injected into SolarWind's source code base

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *