Cybersecurity experts from Microsoft have released a long, detailed blog about the SolarWinds compromise that includes new information that helps IT professionals better understand how the attack transpired.
The blog – a deep dive into how attackers moved from the initial backdoor and through customer networks – comes as the tech community continues to grapple with the effects of the compromise that has kept cybersecurity teams working around the clock to uncover the damage.
Microsoft’s findings also continue to illustrate just how sophisticated the attackers are.
The company published a previous blog that explored the malware that provided the backdoor into as many as 18,000 of SolarWinds’ customer networks and has detailed the hands-on-keyboard techniques attackers used on compromised endpoints using a second-stage payload – one of several custom Cobalt Strike loaders – including the loader that cybersecurity company FireEye calls Teardrop and a variant named Raindrop by Symantec.
According to the company, one missing link in the attack chain – which is being called Solorigate – is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.
“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection,” the researchers wrote in the blog.
The researchers used the cross domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in on complete and consolidated view.
The blog reiterates some facts that we already know: a fully functional Solorigate DLL backdoor was compiled at the end of February 2020 and pushed out to customers in late March. Attackers then removed the backdoor code from SolarWinds’ build environment in June 2020.
“Considering this timeline and the fact that the Solorigate backdoor was designed to stay dormant for at least two weeks, we approximate that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure,” researchers wrote. “This approximation means that real hands-on-keyboard activity most likely started as early as May.”
Removing the malicious code from SolarWinds binaries in June could indicate that attackers reached a sufficient number of targets, and their objective shifted from deploying and activating the backdoor to being operational on selected victim networks with hands-on keyboard activity using the Cobalt Strike implants.
What researchers didn’t know was how exactly the jump from the backdoor to the Cobalt Strike loader happened. The blog dives into the technical details, including what security teams need to look for to detect this activity.
The blog reinforces just how skillful the attackers are and the lengths to which they went to avoid detection.
“However, the attackers apparently deem the powerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s execution from the SolarWinds process as much as possible,” researchers wrote. “Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.”
Other techniques included methodic avoidance of shared indicators for each compromised host, camouflage and blending into the environment, disabling event logging and re-enabling afterward, preparing special firewall rules to minimize outgoing packets for certain protocol, enumerating remote processes and services running on target host and moving laterally, and using timestamping to change timestamps of artifacts.