In the wake of recent revelations regarding a supply chain compromise of the SolarWinds Orion platform by a nation-state actor, and subsequent targeting of private sector and government organizations by said actor, the TrustedSec Incident Response team is releasing the following summary and guidance. This guidance reflects information from industry counterparts as well as recommendations derived from internal experience. To reiterate, this document represents a consolidation of the vast number of useful resources and information being shared by the community; it is intended to provide a convenient source of information and guidance as the situation develops, not to label existing research as our own.
For the purposes of this discussion, we will be referring to the threat actor dubbed “UNC2452” by FireEye and the corresponding malware identified as “SUNBURST,” which has capabilities to deliver a memory-only dropper named “TEARDROP,” which in turn has been observed delivering Cobalt Strike Beacon and other malware.
Highlights
UNC2452 has been observed leveraging a supply chain compromise to serve backdoored updates for the SolarWinds Orion Platform software.
As such, the initial access vector into a target environment is the Orion software itself, rather than “traditional” access vectors such as RDP or phishing.
Compromised builds of the SolarWinds Orion Platform include versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
The malicious update is digitally signed by SolarWinds and has been publicly available since March 2020.
The threat actor has implemented extensive measures to blend their activity with legitimate SolarWinds behavior, with the goal of evading detection.
The threat actor has been observed conducting a variety of post-exploitation activities to act on objectives and establish long-term access, including:
Adding or modifying federation trusts in Azure AD to accept tokens signed with actor-owned certificates;
Adding x509 keys/password credentials to OAuth Applications or Service Principa ..
Support the originator by clicking the read the rest link below.
