On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a
nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software
updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of
SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It
also appeared in the recent CISA Emergency Directive 20-01. Given its importance, we would like to
provide a quick response and suggestions for you to deal with this critical threat.

1. Mitigate SolarWinds Orion Supply Chain Compromise

CISA Emergency Directive 20-01 provides very good suggestions on how to mitigate the
SolarWinds Orion supply chain compromise. You first need to identify whether you are running
the affected version of SolarWinds Orion products (2019.4 through 2020.2.1 HF1). Any hosts
managed by such software should be considered as compromised based on the CISA
suggestions.

2. Detect Suspicious Network Communications

We have already incorporated the threat intelligence of SUNBURST into our platform.

2.1 Network Level IoCs

SUNBURST employs a complex, multi-staged mechanism to connect to a C2 (Command &
Control) channel. It first connects to a domain with assvmcloud.com as the TLD. The
domain resolves and returns a CNAME to another malicious domain, then to the IP address. We
have incorporated the IoCs in terms of domains and IP addresses in our emerging threat
intelligence and pushed through the Stellar Cyber cloud. Every customer already has the update
automatically. If any IP address or domain matches the IoC from threat intelligence, we will
enrich the Interflow record and the corresponding IP address with the following fields in the
traffic index:

• dstip_reputation: emerging_threat
• dstip_reputation_source: SolarWinds_Backdoor

With that, you can create an ATH (Automated Threat Hunting) rule to run a customized
detection for such C2 alerts (our customer support team can also help with that).

Data ingestion that can trigger domain reputation:2 Rev 03
• network sensor
• security sensor

Data ingestion that can trigger IP address reputation:
• network sensor
• security sensor
• Windows event log/Sysmon
• firewall connection logs

2.2 IDS Signatures

From our threat intelligence sources, we have also incorporated the IDS signatures into our
security sensors to detect suspicious SolarWinds Orion communications with SUNBURST.
Every customer already has the update automatically.
Look for:

ids.signature:SUNBURST

in the ML-IDS/Malware index.
With that, you can create an ATH rule to run a customized detection (our customer support team
can also help with that).
Data ingestion that can trigger IDS signatures: security sensor.

3. Detect Suspicious Signals on the Hosts

There are also different signals we can detect based on the host-level data.

3.1 Windows Event Log from Sysmon

If you have configured Sysmon to capture event 17 & 18, you can run the following query in the
Windows Event index to capture possible malicious behavior related to the Windows pipe.

(event_id:17 OR event_id:18) AND log_name: "Microsoft-Windows-Sysmon/Operational " AND
event_data.PipeName: "583da945-62af-10e8-4902-a8f205c72b2e "

With that, you can create an ATH rule to run a customized detection (our customer support team
can also help with that).
Data ingestion requirement: Sysmon with event 17 & 18 turned on.

3.2 EDR Alert Ingestions

EDR software, such as CrowdStrike, Carbon Black, etc. might already detect host-level IoCs for
SUNBURST. If data ingestion is properly configured, you can also view the EDR alerts in
Starlight and correlate with the other signals.

4. Detect Suspicious Lateral Movement

Given that SUNBURST might penetrate to many different enterprises, the attacker might use
different ways to establish persistent footholds and lateraly move to attack different targets in
different enterprises. Detecting lateral movement is crucial.

4.1 Lateral Movement to Azure AD

As shown in the report from Microsoft, the attackers might use the SUNBURST backdoor to
target Azure AD, through capturing password or forged SAML tokens. You can convert the
following queries to ATH rules (our customer support team can also help with that).

(1) New Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal"

(2) Credentials and certificates added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal credentials"

(3) Permissions and role assignments added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:("Add app role assignment to service
principal" OR "Add delegated permission grant" OR "Add application")

(4) Apps modified to allow multi-tenant access:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Update application" AND
operationType.keyword:"Update" AND result.keyword:"success" AND
targetResources.modifiedProperties.displayName.keyword:"AvailableToOtherTenants"

(5) Changes to Azure AD Custom Domains:

msg_class:azure_ad_audit AND (activityDisplayName.keyword:"Add unverified domain" OR
activityDisplayName:"domain")

Data ingestion requirement: Azure AD audit log.

4.2 Lateral Movement Through RDP

The threat research from Splunk shows that RDP might be used in lateral movement with
SUNBURST. In Starlight 3.10.0 we developed 10 RDP-related detections that can help identify
the RDP-related lateral movement (and RDP attacks in general).
Data ingestion requirement:
• network sensor
• security sensor
• and/or Windows event log

4.3 Other Lateral Movement Detection Suggestions

Overall, SUNBURST might establish permanent footholds inside enterprises, which might create
more signals with lateral movement.

You can search the historical data stored in Starlight for IoCs or suspicious activity from hosts
with SolarWinds Orion installed. For example, search for

"dstip_host:*avsvmcloud* OR
metadata.request.query: *avsvmcloud* "

in Traffic data prior to 12/13/2020 to see whether any
hosts were already involved in SUNBURST C2.

Moreover, you can filter the alerts with the global query

"srcip_type:private AND
dstip_type:private"

, so you can pay more attention to the internally generated alerts and identify
potential internal network signals.

5. Conclusions

Through research on SUNBURST, we quickly developed some ideas you can use to detect
SUNBURST using Starlight. We are constantly working on threat research and will release more
up-to-date information and additional detections when it becomes available. Stay tuned!

Today’s security landscape consistently shows data breaches, compliance failures and other security weaknesses for businesses of all sizes.

Hackers make headlines every day and consumers have started to care about online crime because it’s a reality, and no company or individual is immune.

So why, then, do some executives continue to be in denial about the state of their company’s cyber security? Let’s outline and debunk a few fatal flaws in their thinking:

“Sophisticated hackers don’t care about us.”

No business is too small for cyber thieves — in fact, according to the 2018 Verizon Data Breach Investigation Report (DBIR) 58% of victims in 2017 were categorized as small business.

The idea that only the big guys like Hyatt, Hilton and Home Depot are being targeted is obsolete — hackers see that SMBs are acting lackadaisical when it comes to their security, making for an easy target. They’re also using SMBs to gain access to the larger, more lucrative company hacks.

“Some level of breach is inevitable.”

As devices and technologies continue to evolve, so do cyber threats. More devices, more data, more network traffic means more insecurity. And shortages in savvy security talent are not helping.

While it’s accurate to say that most businesses today, no matter the size, have been or will be targeted by online criminals, some executives think it’s simply the cost of doing business online. Thinking that security measures will never stack up is a lazy mentality and one that will likely eventually cost someone his business.

“We can recover.”

Eighty percent of top execs don’t equate compromised confidential data with the loss of revenues. Reality check: The average cost of a data breach is $3.62 million globally, $141 per data record according to the Ponemon Institute. Which constitutes a reduction on the average cost compared to 2016, but the average size of data breaches has increased. That is no small fee, especially for an SMB.

“Cybersecurity is too costly.”

There’s a perception that securing data is both expensive and challenging, possibly causing a barrier to business operations. This is no longer the case. As outlined in the numbers above, prevention is cheaper than clean-up.

However, there are steps you can take to save, such as taking a look at your existing security portfolios: Are your current tools already failing you? Are they suited to the current security environment? Can those dollars simply be moved into what attackers are currently after, which is data?

If the cost issue is around staffing, consider whether your in-house team is savvy enough to keep the business up to speed. And, if not, or if they need guidance, consider working with a third-party managed security provider to assist.

IT teams will need to take the lead in educating senior leadership about preventative planning and security measures to address vulnerabilities and manage risk. If this doesn’t happen, businesses will begin to crumble. By working with top managed security service providers, internal IT teams can begin a concentrated effort to maximize their IT systems and processes.

Everyone enjoys a great employee horror story or two. In the last 20 years of working in the field of Information Technology and Cyber Security, I have watched first hand as many untrained employees have done things to jeopardize their company Cyber Security.

When it comes to the security and protection of your network, there is only so much that can be done from a cyber security standpoint. Employees play a key role in helping to protect your corporate network and security and if not properly trained can contribute to the majority of your breaches and loss of data. Educating them on the proper procedures and standards is paramount to ensuring your network information stays safe and secure.

Our story today shows what happens when an employee is not aware that their actions may cause a severe data breach at this local insurance company.

The Story

We see it every day on the news; Lowe’s, Target, Home Depot and Sony to name a few. Companies are getting hacked daily, resulting in the loss of income, privacy breaches, stolen credit card information and tainted reputations. The demand on the internet black market for private information is huge with huge financial gains for anyone able to provide this type of information.

A long term employee (we will call him John) for a local insurance agent was outside sitting down, eating his lunch one day. It was a typical day for John; as he was just finishing up his lunch, he happened to see a USB flash key sitting on the ground next to the trashcan. Picking up the key, he thought nothing about what could be on the key or how it came to be there.

Later in the day, John remembered that he had found the key and was curious to see what was on it. Inserting it into his system, John was surprised and maybe a little to happy to find that the drive had been empty. Taking the drive out of his machine he threw it into a desk drawer to be forgotten.

While this sounds like a rather boring example of a guy finding a USB drive, and discovering it was “empty.” It is just that kind of tale until roughly ten days later, in our secure operations center something quite serious was happening.

One of our Senior Analyst started to get alerts that the insurance client’s network was being accessed from an out-of-country computer system repeatedly. The attack took the form of a large number of failed network login attempts. This type of alert was indicative of a system breach and demanding our immediate attention. Our Senior Analyst was able to send out an alert to the customer, and we dispatched a Senior Engineer to the site. After comparing system monitoring reports with some “old fashioned detective work” by our Senior Engineer, we were able to determine the source of the intrusion … it came from malware placed on a USB key, discovered “accidentally” by an employee.

The USB Key was planted where it was found by hackers, hoping someone would come along and find the key loaded with malware. Thankfully the insurance company had our monitoring and intrusion detection software in place, and were able to quickly respond to the threat. Several hours later, we were able to remove the malware and secure the network from the external breach attempt. Our Senior Engineer then took a few moments to speak to the operations head at the insurance company and explain to them what caused the breach.

Image for post
Be aware of any USB keys you cannot identify.

The unsuspecting employee who triggered the breach learned two valuable lessons:

  1. Never pick up stray USB keys off the street and insert it directly into a system without some sort of protection in place to prevent malware installation.
  2. Hackers will rely on a combination of human nature and sophisticated malware to breach corporations to access proprietary data.

What is the moral of the story?

IT Cyber Security is an important part of your company’s daily operations, having a lax security system can result in a breach that could financially impact your company. Hackers are getting smarter, and using methods that take advantage of human behavior, and typical business rules. The only way to prevent suffering from a data breach is to have a layered approach (monitoring, reporting, and analysis) to dealing with intrusion attempts.

It’s no secret that today’s cyber security breaches are happening with unprecedented sophistication and boldness. Just last month, the FBI issued an alert that everyone should reboot their routers in order to prevent a compromise that may have affected hundreds of thousands of home and office routers and other network devices. In more mundane cyber news, a MyFitnessPal was breached, exposing the private data of 150 million app users. Even Mark Zuckerberg, the undisputed king of social media, had his Twitter and Pinterest accounts hacked. It seems no one, from high level Democratic movers and shakers to those simply parking to go to work, is safe from the threat of a security breach.

When will it end? The answer, sadly, is not any time soon. Black market users are willing to pay handsomely for sensitive personal information. As long as the opportunity exists to make money, intelligent and determined hackers will continue to exploit poor security practices to get at the content they want. Barbarians? Not by a long shot. The skill, expertise and motivation of elite hackers should not be underestimated.

Expect the problem to get worse. Hackers pride themselves on staying a step ahead in tenacity and intelligence, treating each successful hack as a badge of honor. As we take more advantage of the benefits that connectivity provide, we create more opportunity for the hacking community to get at our private information. According to Cisco, 2016 was the year when more devices will be connected to the Internet than people. This burgeoning Internet-of-Things revolution will dramatically increase the potential attack surface of any give network — if you have more doors, that’s just more chances to find a way in. Simply put, the more things you hang off your Internet, the more opportunity you provide for a breach.

What to do? Go off the grid? Not so fast. Today’s online experience is already transformational compared to life just a few years ago. Could you imagine giving up the convenience and availability provided by your business or personal network? Improvements in user experience, network reliability and speed, and content availability and quality have brought online experiences far beyond indispensable. And yes, despite the growing number of breaches, there have been major strides made in network security.

In reality, the benefits afforded by the IoT revolution in terms of lifestyle, safety, and efficiency far outweigh the drawbacks. So don’t expect IoT to go away anytime soon.

Two years ago, I wrote the first iteration of Barbarians at the Gate, you can still find it on medium.com at https://medium.com/@gmatt.johnson/barbarians-at-the-gate-11b324a04459 Unfortunately, the Barbarians, amongst others, are still at the gate, and it does appear that they are setting up for a long-term siege of your business. The year 2020 has seen its share of high impact security breaches ranging from Twitter to a small Managed Service Provider that Ironclad Cyber Security worked on a few months ago.

The first quarter of 2020 has shaped up to be one of the worst quarters in history with an estimated 8 billion records exposed. These records consisted of credit cards, home addresses, phone numbers, and other personal and sensitive information. Information that not only exposes your private information but could easily put your company at risk for lawsuits and other regulatory actions.

Are there really barbarians at your gate?

The answer to this question is based on how you define a barbarian. Wikipedia defines barbarians as a human who is perceived to be either uncivilized or primitive. By this definition, we would assume that hacking is uncivilized and primitive with no real sophistication.

In contrast hacking attacks portrayed in the media are often perceived as sophisticated, elaborate, and multi-layered. The key to that portrayal is that as stated by Chris Scott of IMB’s X-Force IRIS incident response team, “No one is going to say they were breached by average hackers.”

Are there barbarians’? Sure, there are, unsophisticated attacks that happen all the time. Often these barbarians rely on persistence instead of sophistication to attack your business. Think of a kid with a laptop attempting to login into your network continuously. Given enough time and attempts, they will eventually gain access to your most data and resources.

On the reverse side, the skill, expertise, and motivation of elite hackers should not be underestimated. Elite hackers often used layered attacks and strategies to gain access to your business. These hackers often work in groups or can even be state-sponsored. These groups often are working towards specific types of business or information to gain the most valuable data.

When will it end?
The real answer, sadly, is that it will never end. Ransomware, Phishing attacks, and other hacks while they may change the type of attack the basic idea of persons or organizations attempting to access your business information will not end. If black-market users and criminal organizations are willing to pay handsomely for sensitive personal information. There will always be those who seek to gain access to that information.

What can I do in this ever-changing world of barbarians and non-barbarians?
Often good cybersecurity is less about keeping out attackers 100% but about keeping attackers out long enough that they realize their time is not worth attacking your system. At Ironclad Cyber Security we always recommend a layered (think of an onion, you peel off one layer and there is another.) approach to your cybersecurity strategy which can be built by Ironclad Cyber Security and our team of security consultants.

Ironclad Cyber Security can assist in developing your cybersecurity strategy today to create a layered approach to protecting your assets. The Ironclad Cyber Security layered approach starts with our Pulse Network and Asset monitoring service that allows our SOC team to monitor your network and assets for security events and incidents. Ironclad Cyber Security combines this service with our professional security consulting and security endpoint monitoring products to create your layered cybersecurity platform.