What is Solar Winds Hack ? Mitigation Steps and Recommendations

What is Solar Winds Hack?

SolarWinds is an IT agency that gives software program for entities Including Fortune 500 companies.

It was initially reported that SolarWinds was the topic of a large cybersecurity assault that passed on  to the company's clients.

The breach went undetected for months of impacted clients which included TOP US Govt Agencies including the white house.

Earlier this year, hackers secretly broke into Solar Winds Programs and added malicious code into the company's software. The system, often called "Orion" is also used by corporations to take care of IT Infrastructure and networks. Solarwinds has round 33,000 purchasers that use Orion.

•  Most software providers regularly send out updates to their systems, whether it's fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March 2020, SolarWinds unknowingly sent out software updates to its customers that included the hacked code. The Hacked is commonly called as "SUNBURST" Malware.

The code created a backdoor to customer's information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.

• The hack went undetected for months and was in stealth mode before being detected by any of the known detection and control put in place  by organization's .This  could accelerate broad changes in the cybersecurity industry. Companies are turning to a new method of assuming that there are already breaches, rather than merely reacting to attacks after they are found.

Mitigation steps and Recommendations

If you do not have solar winds Orion Systems/Network management software  in your network ,you need not worry .But would advise running a software inventory check of your network  for possible Trial versions or evaluation versions of Solar winds Orion or other products installed by your systems/network administrators without your knowledge.

 

A simplified image of Solar Windows Attack as per Symantec is shown below

As you can see from the above illustration from Symantec(Broadcom) , The Sunburst Malware has the ability to steal credentials including that of your systems administrator

 

Recommended Actions by Symantec(Broadcom)

Orion users should update to Orion Platform version 2020.2.1 HF 2.

Orion users should check their networks for indications of post-compromise activity, including:

Use of Teardrop in-memory malware to drop Cobalt Strike Beacon.

Command and control (C&C) infrastructure leaks the configured hostname in RDP SSL certificates. Scanning for your organization’s hostnames can uncover malicious IP addresses used by the attackers, indicating post-compromise activity.

Geolocation of IP addresses used for remote access may reveal if a compromised account is being simultaneously used by a legitimate user and the attackers.

The attackers use multiple IP addresses per VPS provider. If a malicious login from an unusual ASN(Autonomous System Number) is identified, other logins from that ASN may also be malicious.

Logs for SMB sessions may show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short period of time.

It should be kept in mind that although there may be some commonalities in post-compromise activity, each victim is likely to see different patterns in activity. That activity is likely to involve heavy use of living-off-the-land techniques to minimize the likelihood of being detected, something the attackers seem to be prioritizing based on how they conducted the first stages of the attack.

Personal view and Recommendations.

1)Watch Egress or outbound traffic in your firewall . especially towards infinitysoftwares[.]com   ,ervsystem[.]com and infinitysoftwares[.]com

2) Add DNS "A" records or Zones(domain names) in your internal DNS server pointing the A record to local loop address (127.0.0.1) for those records. The zones to be added are  *.avsvmcloud[.]com   ,ervsystem[.]com ,infinitysoftwares[.]com

3)Act as if you are already infected, and try to brainstorm yourself and your IT team and other stakeholders. From there on ,how you protect your companies information assets. Build a Threat landscape for your Organizational  context ,Consider Threat Modelling techniques like Microsoft's STRIDE.

 

4)Add or block the following MD5 Hashes  in the Application and device control Module of your End point Malware control software.

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600            Sunburst installer

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134            Sunburst backdoor

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6            Sunburst backdoor

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77            Sunburst backdoor

dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b            Sunburst backdoor

eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed            Sunburst backdoor

c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77            Sunburst backdoor

ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c            Sunburst backdoor

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c            Teardrop backdoor

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07            Teardrop backdoor.

5)Change the Administrator password at regular intervals. If you have reinstalled a third party System Administration software ,it is possible that the Administrator password has reverted to its default password .Please change it before going live. Always use Non default Administrator account .ie Add a new Administrator account with similar privilege as the default administrator . Disable the Default Administrator account or keep the password in Split custody. Use the Alternate Administrator account . Do not login to your desktop using the Active directory account which has "Domain Admin" Privileges or Above. Always use your personal account while logging into your desktop which has just the "Domain user" privilege in the Active directory domain .Consider Using PAM(Privileged Access Management) solutions.

6)Have a focused Mitigation controls Plan which is documented for follow up by various IT Leads.  .After your team has concluded all the outlined tasks ,Conduct focused  Gap Analysis from Qualified IT Audit personnel or 3rd party Audit Institutes or Cyber Security Experts.

7) Conduct Vulnerability assessment of any new software or system before go live and is laced in the production network.

8) Watch for lateral suspicious traffic which often go undetected in your network

9)Small and medium Enterprise often overlook the need for Securing their IT Infrastructure .Cyber threats are real and it could take down your company and its Image .If you are a Small or Medium Enterprise ,invest in Securing your IT Infrastructure ,Conduct periodic  awareness training for your Entire Organization ,Understand the need for Securing your software during the design and development phase, Have an IT Governance framework in place, driven by Policies, Baselines .Ensure that your IT security Program  has the support of Senior Management and C suite leadership.

11) Patch your Servers, Network and security Devices on a periodic Basis. Assess the impact by testing the patch for a few days before rolling to production .Its often a best practice to defer the installation of a new patch, as the patch itself could be having a  bug(This is what happened in the Solar Winds SUNBURST Malware) . If it is a Critical Microsoft Patch which requires immediate deployment ,please do so in batches for a collection of systems based on its classification inside your network. Microsoft Releases Patches every 2nd Tuesday of the Month. Also Keep track of Machines which are not patched for any reason.

Leave your comments in the comments box . Please provide your valuable inputs which might further help IT and security experts to control  and mitigate SUNBURST malware breach.

ShivaPrasad  Ariga