This update is a continuation of our previous coverage of the SolarWinds supply-chain attack that was discovered by FireEye in December 2020. As of Jan. 11, 2021, new research has been published that expands the security community’s understanding of the breadth and depth of the SolarWinds attack.
Two recent developments warrant your attention:
- New in-depth research from CrowdStrike provides technical analysis of the malware—dubbed "SUNSPOT" (the industry is going to run out of stellar-themed names at this rate)—that was used to insert the SUNBURST backdoor into SolarWinds Orion software builds.
- New technical analysis from researchers at Kaspersky discusses their discovery of feature overlap between the SUNBURST malware code and the Kazuar backdoor.
The SUNSPOT build implant
On Monday, Jan. 11, 2021, CrowdStrike’s intelligence team published technical analysis on SUNSPOT, a newly identified type of malware that appears to have been used as part of the SolarWinds supply chain attack. CrowdStrike describes SUNSPOT as “a malicious tool that was deployed into the build environment to inject [the SUNBURST] backdoor into the SolarWinds Orion platform.”
While SUNSPOT infection is part of the attack chain that allows for SUNBURST backdoor compromise, SUNSPOT has distinct host indicators of attack (including executables and related files), artifacts, and TTPs (tactics, techniques, and procedures).
CrowdStrike provides a thorough breakdown of how SUNSPOT operates, including numerous indicators of compromise. Here are the critical highlights:
SUNSPOT’s on-disk executable is named
taskhostsvc.exe and has an initial, likely build date of Feb. 20, 2020. It maintains persistence through a scheduled task that executes on boot and has the
SeDebugPrivilege grant, which is what enables it to read the memory of other processes.
It uses this privilege to watch for
MsBuild.exe (a Visual Studio development component) execution and modifies the target source code before the compiler has a chance to read it. SUNSPOT then looks for a specific Orion software source code component and replaces it with one that will inject SUNBURST during the build process. SUNSPOT also has validation checks to ensure no build errors are triggered during the build process, which helps it escape developer and other detection.
The last half of the CrowdStrike analysis has details on tactics, techniques, and procedures, along with host indicators of attack, ATT&CK framework mappings, and YARA rules specific to SUNSPOT. Relevant indicators have been incorporated into Rapid7's SIEM, InsightIDR, and Managed Detection and Response instances and workflows.
SolarWinds has updated their blog with a reference to this new information on SUNSPOT. Because SUNSPOT, SUNBURST, and related tooling have not been definitively mapped to a known adversary, CrowdStrike has christened the actors responsible for these intrusions “StellarParticle.”
SUNBURST’s Kazuar lineage
Separately, Kaspersky Labs also published technical analysis on Monday, Jan. 11, 2020 that builds a case for a connection between the SUNBURST backdoor and another backdoor called Kazuar. Kazuar, which Palo Alto Networks’ Unit42 team first described in May of 2017 as a “multiplatform espionage backdoor with API access,” is a .NET backdoor that Kaspersky says appears to share several “unusual features” with SUNBURST. (Palo Alto linked Kazuar to the Turla APT group back in 2017, which Kaspersky says their own observations support, too.)
Shared features Kaspersky has identified so far include the use of FNV-1a hashing throughout Kazua and SUNBURST code, a similar algorithm used to generate unique victim identifiers, and customized (thought not exactly the same) implementations of a sleeping algorithm that delays between connections to a C2 server and makes network activity less obvious. Kaspersky has a full, extremely detailed list of similar and different features across both backdoors in their post.
Kaspersky does not definitively state that the two backdoors are the work of the same actor. Instead, they offer five possible explanations for the similarities they’ve identified between Kazuar and SUNBURST. The potential explanations below have been taken directly from their post:
- Sunburst was developed by the same group as Kazuar.
- The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point).
- Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source.
- Some of the Kazuar developers moved to another team, taking knowledge and tools with them.
- The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group.
As Kaspersky notes, the knowledge of a potential lineage connection to Kazaur changes little for defenders, but is worth keeping an eye on, as a confirmed connection may help those in more highly targeted sectors use previous Kazuar detection and prevention methods to enhance their response to the SolarWinds compromise.
Jan. 19, 2021
On Monday, Jan. 18, 2021, Symantec researchers disclosed findings that point to a new, additional malware component that has been found in select victims associated with the SolarWinds attacks. This new malware backdoor has been christened “Raindrop” (we told you we’d run out of ☀️-themed names) or, more formally,
“Backdoor.Raindrop” and is a loader—software that is designed to retrieve additional components for use further attacker operations—that delivers a Cobalt Strike payload.
Raindrop is similar to Teardrop (revealed by FireEye back in December 2020), but appears to be geared toward post-compromise lateral movement, enabling it to spread across a victim’s network. Unlike Teardrop, Symantec has asserted that Raindrop is not being delivered by SUNBURST, but has appeared after a victim has been compromised with SUNBURST.
Symantec chronicles a timeline of many victims, detailing numerous installed components, PowerShell commands, and diverse command and control techniques ranging from HTTP-based interaction to SMB named network pipes. When focusing solely on HTTP interaction, Raindrop shares many features and characteristics with Teardrop, including the HTTP
POST form setup used to retrieve components.
Symantec has provided YARA rules and other indicators of compromise (IoCs) that defenders can use to identify older Raindrop activity and detect current use.
Feb. 8, 2021
CISA has released two malware analysis reports related to the SolarWinds attack:
- TEARDROP Malware Analysis Report (MAR-1032011501.v.1)
- SUNBURST Malware Analysis Report (MAR-10318845-1.v.1)
Mar. 4, 2021
FireEye has posted new information on a second-stage backdoor they've named SUNSHUTTLE. They identified the new malware from a post to a public malware repository dating back to August of 2020. SUNSHUTTLE is written in the Go programming language, and "reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”"
This is a sophisticated component with modern, refined detection evasion techniques. Full IoCs are available at the FireEye post.
Mar. 10, 2021
CISA, the U.S. Cybersecurity and Infrastructure Agency, released two new resources yesterday to assist organizations in remediating networks affected by the SolarWinds and Active Directory/M365 compromise.
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise provides guidance to organizations affected by this APT activity. CISA encourages affected critical infrastructure and private sector organizations to review and apply it (in addition to federal agencies).
- CISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk Decisions for Leaders supports executive leaders of affected organizations in understanding the threat, risk, and associated actions they should take in response to the APT activity. The CISA Insights specifically applies to organizations with affected versions of SolarWinds Orion who have evidence of follow-on threat actor activity.