December 2020 | Resource

Cyberattack response: How organizations can manage the SUNBURST hack

The monthslong SUNBURST cyberattack is leaving governments and corporations scrambling to react to compromised information and data

Cyberattack response: How organizations can manage the SUNBURST hack

What is SUNBURST?

SUNBURST is a trojanized dll implanted into recent updates of the SolarWinds Orion platform that created a backdoor into the affected system. It’s unclear how many of SolarWinds’ 300,000 customers’ systems may have been attacked, but it appears the attack stretches back months. But based on the level of sophistication of the attack, it is believed to be an attacker targeting specific government and critical infrastructure organizations as well as businesses with valuable intellectual property.

SUNBURST risk to organizations

The SUNBURST exploit is believed to be attributed to a state-sponsored level attacker. It is believed the attackers are targeting valuable intellectual property resources and government intelligence information. The attacker is thought to be focused on organizations in following industries: pharmaceutical research, government intelligence, aerospace, oil and gas, and other critical infrastructure.

The attacker is not thought to be financially motivated by utilizing ransomware or data extortion. As such, there is a low risk of impact for the majority of affected organizations that do not contain data relating to those activities.


What products are affected?

  • SolarWinds Orion Platform
  • Versions
    • 2019.4 HF 5
    • 2020.2 (no hotfix)
    • 2020.2 HF 1

How to check version and hotfixes

SolarWinds recommended mitigations

  • If using versions 2020.2 (no hotfix) or 2020.2 HF 1:
  • If using version 2019.4 HF 5:
  • A new Hotfix, 2020.2.1 HF 2
    • This will include fixes for the compromise as well as additional security enhancements
    • Available here
  • Instructions for mitigating effects if Hotfixes cannot be applied right away:

Additional West Monroe recommended mitigations

  • Isolate SolarWinds servers and infrastructure until further remediation can be done. Block all outbound internet connections from associated systems
  • If SolarWinds infrastructure cannot be isolated:
    • Restrict connections to endpoints from SolarWinds servers
    • Restrict accounts that have administrative privileges on SolarWinds servers
    • Block outbound internet connections from servers and other endpoints with SolarWinds software
  • At a minimum, change passwords for accounts that have access to SolarWinds servers and infrastructure. Ideally, perform a full reset of all credentials in the environment and a double reset of the KRBTGT account password

SUNBURST attack kill chain details

Delivery

  • The SUNBURST exploit was delivered via trojanized updates to the SolarWinds Orion Platform
  • These updates were posted on the SolarWinds update website with valid digital signatures from March to May 2020

Exploitation

  • The specific exploit used was a trojanized dll hidden in Solarwinds Orion updates
  • Dll name: SolarWinds.Orion.Core.BusinessLayer.dll
  • Dll MD5 Hash: b91ce2fa41029f6955bff20079468448

Command and control

  • Upon installation, the malicious dll will lay dormant for two weeks before making a DNS query for avsvmcloud[.]com
  • This DNS query will return information on the SUNBURST Command and Control infrastructure 
Where West Monroe can help

West Monroe’s group of cyberattack experts are able to identify if the compromised components have been deployed. The process includes performing an expedited threat hunt with the help of Intellio® Hunt to detect compromise. This proprietary hunt investigates current attack behaviors and provides visibility into past attacker behaviors.

We deploy a 60-day license of Carbon Black to allow us to contain communication from the affected systems and hunt for unusual activity. We’re also able to assist with upgrading patch levels to 2020.2.1 HF 2 once it is made available.

Contact our cyber response team directly or call 312-600-3390. We have a two-hour or less response policy for cyber issues.

Explore our latest perspectives