blownlight.com

Germantown, Maryland – Friday, December 18, 2020

The U.S. Department of Energy today acknowledged that it was affected by an ongoing computer network intrusion dubbed “Sunburst” by FireEye, a computer security firm which was the first victim to have discovered and publicly disclosed it. Considered one of the worst cyber-attacks on the U.S. government, the attack also affected the Pentagon, the Department of Homeland Security, the State Department, the Treasury Department and the U.S. Department of Commerce.

Known as a supply-chain attack, Sunburst involved tampering with a product manufactured by a trusted supplier; in this case, the attackers deliberately inserted a vulnerability or vulnerabilities into legitimate SolarWinds network monitoring software, used by large business and government customers around the world. According to Reuters, SolarWinds’ update server had a weak password; however, unnamed researchers are quoted as saying that this was not the likely cause of the intrusion.

[edit]

The malicious software infected SolarWinds.Orion.Core.BusinessLayer.dll, a component of the Orion® software platform that was digitally-signed by SolarWinds. When activated, the component communicates by hyper-text transfer protocol to servers maintained by a malicious third party. It uses a subdomain-generating algorithm to access the command-and-control servers in the domain avsvmcloud(dot)com; the domain name will return a CNAME DNS record that points to the command-and-control server. From there it retrieves commands that could completely take over the host system.

The malware’s network traffic uses the Orion Improvement Program protocol to evade firewall defenses and contains stealth features that can evade multiple antivirus programs; its network traffic mimics SolarWinds’ application program interface (APIs). Different instances of the Sunburst malware contain different payloads, including a previously-undetected dropper program that runs in memory only (by not saving its code to a file, it can avoid being detected in a full system scan.)

Affected software includes Orion versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which were available for download between March and June 2020.

The attack is unusually sophisticated in that the attackers’ source code used a similar {{w|coding style]] and naming conventions to that used by SolarWinds itself; the malware was written carefully using many of the same techniques as the legitimate software product. By mimicking SolarWinds’ developers’ programming style, they evaded any code review or auditing employed by SolarWinds as part of the software release process.

[edit]

• “SolarWinds Security Advisory” —  12/18/2020 08:30
• Raphael Satter, Christopher Bing, Joseph Menn. “Hackers used SolarWinds’ dominance against it in sprawling spy campaign” — Reuters, 12/15/2020 21:08
• “Threat Research: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor” — FireEye, 12/13/2020
• “DOE Update on Cyber Incident Related to Solar Winds Compromise” — U.S. Department of Energy, 12/18/2020
• “Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise” — Cybersecurity & Infrastructure Security Agency, 12/13/2020
• “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)” — Cybersecurity & Infrastructure Security Agency, 12/16/2020
• Tara Seals. “Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims” — ThreatPost, 12/18/2020 14:01
• Tomislav Peri?in. “SunBurst: the next level of stealth” — ?eversing Labs, accessed 12/18/2020
• Joe Tidy. “SolarWinds: Why the Sunburst hack is so serious” — BBC, 12/15/2020
• David E. Sanger, Nicole Perlroth and Eric Schmitt. “[{{{url}}} Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit]” — The New York Times, 12/14/2020 – 12/16/2020

• Cohen, Zachary, Fung, Brian, Sands, Geneva, Marquardt, Alex. “US cybersecurity agency warns suspected Russian hacking campaign broader than previously believed” — CNN, December 18, 2020
• BBC. “US cyber-attack: US energy department confirms it was hit by Sunburst hack” — BBC, December 18, 2020
• Stubbs, Jack, McNeill, Ryan. “SolarWinds hackers broke into U.S. cable firm and Arizona county, web records show” — Reuters, December 18, 2020
• Timbert, Craig, Nakashima, Ellen. “Federal investigators find evidence of previously unknown tactics used to penetrate government networks” — The Washington Post, December 17, 2020
• Johnson, Kevin, Borney, Nathan. “US under cyber attack believed to be tied to Russia: Private sector, infrastructure, all levels of government at risk” — USA Today, December 17, 2020
• Bossert, Thomas. “I Was the Homeland Security Adviser to Trump. We’re Being Hacked.” — The New York Times, December 16, 2020