Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform

Platform

On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a
nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software
updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of
SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It
also appeared in the recent CISA Emergency Directive 20-01. Given its importance, we would like to
provide a quick response and suggestions for you to deal with this critical threat.

1. Mitigate SolarWinds Orion Supply Chain Compromise

CISA Emergency Directive 20-01 provides very good suggestions on how to mitigate the
SolarWinds Orion supply chain compromise. You first need to identify whether you are running
the affected version of SolarWinds Orion products (2019.4 through 2020.2.1 HF1). Any hosts
managed by such software should be considered as compromised based on the CISA
suggestions.

2. Detect Suspicious Network Communications

We have already incorporated the threat intelligence of SUNBURST into our platform.

2.1 Network Level IoCs

SUNBURST employs a complex, multi-staged mechanism to connect to a C2 (Command &
Control) channel. It first connects to a domain with assvmcloud.com as the TLD. The
domain resolves and returns a CNAME to another malicious domain, then to the IP address. We
have incorporated the IoCs in terms of domains and IP addresses in our emerging threat
intelligence and pushed through the Stellar Cyber cloud. Every customer already has the update
automatically. If any IP address or domain matches the IoC from threat intelligence, we will
enrich the Interflow record and the corresponding IP address with the following fields in the
traffic index:

• dstip_reputation: emerging_threat
• dstip_reputation_source: SolarWinds_Backdoor

With that, you can create an ATH (Automated Threat Hunting) rule to run a customized
detection for such C2 alerts (our customer support team can also help with that).

Data ingestion that can trigger domain reputation:2 Rev 03
• network sensor
• security sensor

Data ingestion that can trigger IP address reputation:
• network sensor
• security sensor
• Windows event log/Sysmon
• firewall connection logs

2.2 IDS Signatures

From our threat intelligence sources, we have also incorporated the IDS signatures into our
security sensors to detect suspicious SolarWinds Orion communications with SUNBURST.
Every customer already has the update automatically.
Look for:

ids.signature:SUNBURST

in the ML-IDS/Malware index.
With that, you can create an ATH rule to run a customized detection (our customer support team
can also help with that).
Data ingestion that can trigger IDS signatures: security sensor.

3. Detect Suspicious Signals on the Hosts

There are also different signals we can detect based on the host-level data.

3.1 Windows Event Log from Sysmon

If you have configured Sysmon to capture event 17 & 18, you can run the following query in the
Windows Event index to capture possible malicious behavior related to the Windows pipe.

(event_id:17 OR event_id:18) AND log_name: "Microsoft-Windows-Sysmon/Operational " AND
event_data.PipeName: "583da945-62af-10e8-4902-a8f205c72b2e "

With that, you can create an ATH rule to run a customized detection (our customer support team
can also help with that).
Data ingestion requirement: Sysmon with event 17 & 18 turned on.

3.2 EDR Alert Ingestions

EDR software, such as CrowdStrike, Carbon Black, etc. might already detect host-level IoCs for
SUNBURST. If data ingestion is properly configured, you can also view the EDR alerts in
Starlight and correlate with the other signals.

4. Detect Suspicious Lateral Movement

Given that SUNBURST might penetrate to many different enterprises, the attacker might use
different ways to establish persistent footholds and lateraly move to attack different targets in
different enterprises. Detecting lateral movement is crucial.

4.1 Lateral Movement to Azure AD

As shown in the report from Microsoft, the attackers might use the SUNBURST backdoor to
target Azure AD, through capturing password or forged SAML tokens. You can convert the
following queries to ATH rules (our customer support team can also help with that).

(1) New Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal"

(2) Credentials and certificates added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal credentials"

(3) Permissions and role assignments added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:("Add app role assignment to service
principal" OR "Add delegated permission grant" OR "Add application")

(4) Apps modified to allow multi-tenant access:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Update application" AND
operationType.keyword:"Update" AND result.keyword:"success" AND
targetResources.modifiedProperties.displayName.keyword:"AvailableToOtherTenants"

(5) Changes to Azure AD Custom Domains:

msg_class:azure_ad_audit AND (activityDisplayName.keyword:"Add unverified domain" OR
activityDisplayName:"domain")

Data ingestion requirement: Azure AD audit log.

4.2 Lateral Movement Through RDP

The threat research from Splunk shows that RDP might be used in lateral movement with
SUNBURST. In Starlight 3.10.0 we developed 10 RDP-related detections that can help identify
the RDP-related lateral movement (and RDP attacks in general).
Data ingestion requirement:
• network sensor
• security sensor
• and/or Windows event log

4.3 Other Lateral Movement Detection Suggestions

Overall, SUNBURST might establish permanent footholds inside enterprises, which might create
more signals with lateral movement.

You can search the historical data stored in Starlight for IoCs or suspicious activity from hosts
with SolarWinds Orion installed. For example, search for

"dstip_host:*avsvmcloud* OR
metadata.request.query: *avsvmcloud* "

in Traffic data prior to 12/13/2020 to see whether any
hosts were already involved in SUNBURST C2.

Moreover, you can filter the alerts with the global query

"srcip_type:private AND
dstip_type:private"

, so you can pay more attention to the internally generated alerts and identify
potential internal network signals.

5. Conclusions

Through research on SUNBURST, we quickly developed some ideas you can use to detect
SUNBURST using Starlight. We are constantly working on threat research and will release more
up-to-date information and additional detections when it becomes available. Stay tuned!

Leave a Reply

Your email address will not be published.