What happened, and who did it?
On December 13th, Washington Post reported that Russian group APT29 or Cozy Bear had breached the US Treasury and Commerce Departments, and that FBI speculates the attack started as early as March 2020.
FireEye reported that the breach originated in a well-executed supply chain attack through the SolarWinds Orion software to deliver a malware named SUNBURST. SolarWinds Orion is a popular IT administration tool used by more than 300,000 organizations around the world, including 425 of the Fortune 500, the 10 largest telecommunication companies, every branch of the US military, and US government agencies such as the NSA, State Department, the Pentagon, Department of Justice, and the White House. As such, The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."
The nation-state actor compromised the SolarWinds Orion solution and built a back door into Orion as early as March 2020. This was then used to further infect targets upon installing the infected update. As this software was compromised at the supplier level, it was digitally signed with valid signatures and was undetected by Anti-Virus or Operating system protections.
SolarWinds has issued an advisory disclosing that SolarWinds Orion Platform software released between March 2020 and June 2020 has been affected.
How it unfolded, and why monitoring users in the cloud is imperative
Once the victim installed the compromised software, the APT group continued to compromise the network further, using privileged accounts to move laterally and eventually obtain the credentials of a Domain administrator account or the SAML Signing Certificate. This allowed the attackers to move laterally to any on-premises device, or any cloud infrastructure. This level of access could be leveraged to forge new privileged accounts and develop a sturdier foothold within an organization. The attacker has been observed by Microsoft performing Domain Federation trust activities, in order to gain a foothold as well as the previously mentioned techniques to gain foothold and compromise.
Vectra Cognito has several capabilities available to customers who want to investigate or detect if they have been compromised by this attack.
Overview of Vectra’s detections
APT 29’s tools and techniques are highly sophisticated and have gone unnoticed for an extended period of time. The tactics of the group remain similar to previous APT compromises:
Vectra customers are protected from attacks leveraging the reported tactics and techniques. Below is an overview of Vectra’s AI-driven detections based on the TTP’s.
Detections based on network activity
External Remote Access / Hidden HTTPSTunnel/ Hidden HTTP Tunnel
Vectra Threat Intel Match
RPC Recon / Targeted RPC Recon
Suspicious Remote Execution
Privileged Access Anomalies
Detections based on Office 365 and Azure AD activity
Suspicious Sign-On activity
AdminAccount Creation
Newly Created Admin Accounts
Risky Application Permissions
What to look for in your environment:
Stream or Recall customers, and those using tools that collect network metadata should immediately search their environment for the following;
Review activity related to the APT29 linked domain in the iSession metadata streams
Review activity that is unexpected from SolarWinds systems across all metadata
Review activity related to admin AD accounts in the Kerberos_txn metadata
Review activity related to admin accounts in the NTLM metadata
Review activity related to admin accounts in the RDP metadata (note that RDP cookies are truncated at 9 characters)
Conclusion
SolarWinds urges all customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment, or to disable internet access for the Orion Platform and limiting the ports and connections to only what is necessary.
If you’re ready to change your approach to detecting and responding to cyberattacks like these, and to get a closer look at how Cognito can find attacker tools and exploits, schedule a demo with Vectra today.
Luke is the Threat Intel Lead for Vectra. He has been with the company for 4 years, joining as a consultant analyst and working with customers and high level incident response directly. Before joining Vectra, Luke was a senior Security Analyst for an international Engineering and Defence contractor where he developed SOC toolsets, processes and incident response playbooks.