Rewterz Threat Alert – APT Targeting/ Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Severity

High

Analysis Summary

CISA has uncovered a widespread campaign that compromises U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor. Threat actors initial access for this activity is a supply chain compromise of a DLL in the following SolarWinds Orion products. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

Technical Details 

Initial Infection [TA0001]

In an ongoing investigation, researchers are investigating where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Threat actors using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA). This indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.

SolarWinds Orion Compromise

SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products. The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic.

The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. It is also reported that the threat actors are using Obfuscated Files or Information: Steganography to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. Threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. 

It has been understood that the threat actor’s initial objective to collect vital information from victim’s environment. Threat actor’s are compromising Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges.

MITRE ATT&CK Techniques Used by Threat Actors 

• Query Registry [T1012]
• Obfuscated Files or Information [1027]
• Obfuscated Files or Information: Steganography [T1027.0Steganography [T1027.003]
• Process Discovery [T1057]03]
• Indicator Removal on Host: File Deletion [T1070.004]
• Application Layer Protocol: Web Protocols [T1071.001]
• Application Layer Protocol: DNS [T1071.004]
• File and Directory Discovery [T1083]
• Ingress Tool Transfer [T1105]
• Data Encoding: Standard Encoding [T1132.001]
• Compromise Software Dependencies and Development Tools [ [T1195.001]
• Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
• Software Discovery [T1518]
• Software Discovery: Security Software Discovery [T1518.001]
• Create or Modify System Process: Windows Service [T1543.003]
• Subvert Trust Controls: Code Signing [T1553.002]
• Dynamic Resolution: Domain Generation Algorithms [T1568.002]
• System Services: Service Execution [T1569.002]
• Compromise Infrastructure [T1584]

Impact

• Network compromise
• Unauthorized Access
• Data Theft
• Detection Evasion
• Exposure of sensitive data

Affected Vendors

SolarWinds

Affected Products

• Orion Platform 2019.4 HF5 version 2019.4.5200.9083
• Orion Platform 2020.2 RC1 version 2020.2.100.12219
• Orion Platform 2020.2 RC2 version 2020.2.5200.12394
• Orion Platform 2020.2
• 2020.2 HF1 version 2020.2.5300.12432

Indicators of Compromise

IP

• 13[.]59[.]205[.]66
• 65[.]153[.]203[.]68
• 3[.]87[.]182[.]149

SHA-256

• ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
• 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
• d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment
• Keep your software updated to latest patch.

Refer to CISA alert for more updates and IOCs 

https://us-cert.cisa.gov/ncas/alerts/aa20-352a