CISA has uncovered a widespread campaign that compromises U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor. Threat actors initial access for this activity is a supply chain compromise of a DLL in the following SolarWinds Orion products. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
In an ongoing investigation, researchers are investigating where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Threat actors using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA). This indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.
SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products. The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic.
The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. It is also reported that the threat actors are using Obfuscated Files or Information: Steganography to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. Threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism.
It has been understood that the threat actor’s initial objective to collect vital information from victim’s environment. Threat actor’s are compromising Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges.
Refer to CISA alert for more updates and IOCs