The U.S. Cybersecurity and Infrastructure Agency (CISA) is aware of other attack methods on the IT supply chain in addition to known malware that infected SolarWinds’ Orion IT management platform.
In an alert issued Thursday, the agency said it “has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however these are still being investigated.” CISA will update the alert once new information becomes available.
On Sunday, SolarWinds disclosed that its Orion platform was compromised with malicious code via an update that essentially allowed attackers believed to be backed by a foreign government – purportedly Russia – to gain access to victim networks. These attacks began as early as March, according to CISA.
Targets included cybersecurity firm FireEye, the U.S. Commerce and Treasury departments and other U.S. agencies, including CISA itself.
Those events prompted CISA to issue an emergency directive to mitigate the attacks, calling on all federal civilian agencies to review networks for indications of a compromise and disconnect or power down the Orion platform immediately.
🚨 ACTIVITY ALERT 🚨
Review @CISAgov’s new Alert on the #APT campaign against federal agencies & critical infrastructure, providing updated affected product versions, IOCs, ATT&CK® techniques, and mitigation steps. https://t.co/ZgzAbUNKjL #Cyber #Cybersecurity #Infosec pic.twitter.com/QnntuVhUXb
— US-CERT (@USCERT_gov) December 17, 2020
Thursday’s alert cited four versions of the SolarWinds Orion Platform, but clearly noted that the attackers are using other unidentified initial infection vectors.
“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” the alert said.
The agency is investigating incidents in which victims report similar attack methods that don’t leverage SolarWinds Orion or where the software was present but not actively exploited.
CISA’s update comes after cybersecurity firm Volexity said earlier this week that it has observed a compromise of a U.S.-based think tank using a Duo multi-factor authentication bypass in Outlook Web App as an initial intrusion vector.
“Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two,” CISA’s alert said. “This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.”
Here are other observations made by CISA in the alert:
The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.
Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.
SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.
The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.
FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.
According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.
While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.
Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.
The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.
Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.
The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).
CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.
These are some key functions and systems that commonly use SAML.
- Hosted email services
- Hosted business intelligence applications
- Travel systems
- Timecard systems
- File storage services (such as SharePoint)
Detection: Impossible Logins
The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.
Detection: Impossible Tokens
The following conditions may indicate adversary activity.
- Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual.
- The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.
- A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation.
Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.
Operational security plans should include:
- Out-of-band communications guidance for staff and leadership;
- An outline of what “normal business” is acceptable to be conducted on the suspect network;
- A call tree for critical contacts and decision making; and
- Considerations for external communications to stakeholders and media.
MITRE ATT&CK® Techniques
- CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.
- Query Registry [T1012]
- Obfuscated Files or Information [T1027]
- Obfuscated Files or Information: Steganography [T1027.003]
- Process Discovery [T1057]
- Indicator Removal on Host: File Deletion [T1070.004]
- Application Layer Protocol: Web Protocols [T1071.001]
- Application Layer Protocol: DNS [T1071.004]
- File and Directory Discovery [T1083]
- Ingress Tool Transfer [T1105]
- Data Encoding: Standard Encoding [T1132.001]
- Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
- Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
- Software Discovery [T1518]
- Software Discovery: Security Software [T1518.001]
- Create or Modify System Process: Windows Service [T1543.003]
- Subvert Trust Controls: Code Signing [T1553.002]
- Dynamic Resolution: Domain Generation Algorithms [T1568.002]
- System Services: Service Execution [T1569.002]
- Compromise Infrastructure [T1584]
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!