SUNBURST Malware & SolarWinds Supply Chain Attack

Home/Targeted Attacks/SUNBURST Malware & SolarWinds Supply Chain Attack

SUNBURST Malware & SolarWinds Supply Chain Attack

Threat actors compromised the IT monitoring and management software of organizations including SolarWinds’s Orion, Intel, Cisco, Nvidia.

Trojanized version of SolarWinds

SolarWinds is a software company that primarily deals in systems management tools used by IT professionals

Over 100 to 280 organizations installed a trojanized version of the SolarWinds Orion platform that infects internal systems with the Sunburst malware.

Importantly, tech companies under category — local governments, universities, hospitals, banks, and telecom providers.

In addition, the biggest organizations that falls under the above category on includes:

CiscoBelkin
SAPAmerisafe
IntelLukoil
Cox CommunicationsRakuten
DeloitteCheck Point
NvidiaOptimizely
FujitsuDigital Reach and Digital Sense

SUNBURST Malware — Subdomains

According to a SANS report, It is known that the malware was deployed as an update from SolarWinds’ own servers and was digitally signed by a valid digital certificate bearing their name

  • This strongly points to a supply chain attack
  • The certificate was issued by Symantec — Serial Number: 0fe973752022a606adf2a36e345dc0ed

The way security researchers compiled these lists was by reverse-engineering the Sunburst (aka Solorigate) malware.

However, it is found that this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.

According to report by multiple security researchers, on infected systems

  • the malware would gather information about the victim company’s network
  •  wait for 12 to 14 days
  • and then send the data to a remote command and control server (C&C).
solorigate-attack-chain.png
Source – Microsoft

Post Compromise Attack:

FireEye has uncovered a widespread campaign, tracking as UNC2452.

After gaining initial access, the attacker uses a variety of techniques to disguise their operations.

Source – FireEye

Importantly, unique URL researchers identified subdomain — avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. 

solorigate-c2.png
Source – Microsoft

But, security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.

Detection & Mitigations:

A growing list of First-stage and Second-stage victims are getting high, including companies like Cisco, Intel, VMware, Microsoft that have formally confirmed they got infected.

“Escalation” usually happened when the avsvmcloud[.]com C&C server replied to an infected company with a very specific DNS response that contained a special CNAME field.

Moreover, the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware, can be found in special DNS CNAME field.

Check for the below IOC’s in your environment.

Indicator’s of Compromise

IP address:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 224.0.0.0/3
  • fc00:: – fe00::
  • fec0:: – ffc0::
  • ff00:: – ff00::
  • 20.140.0.0/15
  • 96.31.172.0/24
  • 131.228.12.0/22
  • 144.86.226.0/24

Hash Value:

Malware02af7cec58b9a5da1c542b5a32151ba1UNC2452 Campaign
Malware08e35543d6110ed11fdf558bb093d401UNC2452 Campaign
Malware2c4a910a1299cdae2a4e55988a2f102eUNC2452 Campaign
Malware4f2eb62fa529c0283b28d05ddd311faeUNC2452 Campaign
Malware56ceb6d0011d87b6e4d7023d7ef85676UNC2452 Campaign
Malware846e27a652a5e1bfbd0ddd38a16dc865UNC2452 Campaign
Malwareb91ce2fa41029f6955bff20079468448UNC2452 Campaign
Malware019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134UNC2452 Campaign
Malware292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712UNC2452 Campaign
Malware32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77UNC2452 Campaign
Malware53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7UNC2452 Campaign
Malwarec15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71UNC2452 Campaign
Malwarece77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6UNC2452 Campaign
Malwared0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600UNC2452 Campaign
Malware1b476f58ca366b54f34d714ffce3fd73cc30db1aUNC2452 Campaign
Malware2f1a5a7411d015d01aaee4535835400191645023UNC2452 Campaign
Malware47d92d49e6f7f296260da1af355f941eb25360c4UNC2452 Campaign
Malware75af292f34789a1c782ea36c7127bf6106f595e8UNC2452 Campaign
Malware76640508b1e7759e548771a5359eaed353bf1eecUNC2452 Campaign
Malwarec2c30b3a287d82f88753c85cfb11ec9eb1466badUNC2452 Campaign
Malwared130bd75645c2433f88ac03e73395fba172ef676UNC2452 Campaign

Domain Names:

avsvmcloud.comUNC2452 Campaign
databasegalore.comUNC2452 Campaign
deftsecurity.comUNC2452 Campaign
freescanonline.comUNC2452 Campaign
highdatabase.comUNC2452 Campaign
incomeupdate.comUNC2452 Campaign
panhardware.comUNC2452 Campaign
thedoccloud.comUNC2452 Campaign
websitetheme.comUNC2452 Campaign
zupertech.comUNC2452 Campaign

Host Names:

appsync-api.eu-west-1.avsvmcloud.comUNC2452 Campaign
appsync-api.us-east-1.avsvmcloud.comUNC2452 Campaign
appsync-api.us-east-2.avsvmcloud.comUNC2452 Campaign
appsync-api.us-west-2.avsvmcloud.comUNC2452 Campaign
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.comUNC2452 Campaign
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.comUNC2452 Campaign
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.comUNC2452 Campaign
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.comUNC2452 Campaign
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.comUNC2452 Campaign
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.comUNC2452 Campaign
By | 2020-12-22T22:34:54+05:30 December 22nd, 2020|Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!