What happened, and who did it?

On December 13th, Washington Post reported that Russian group APT29 or Cozy Bear had breached the US Treasury and Commerce Departments, and that FBI speculates the attack started as early as March 2020.

FireEye reported that the breach originated in a well-executed supply chain attack through the SolarWinds Orion software to deliver a malware named SUNBURST. SolarWinds Orion is a popular IT administration tool used by more than 300,000 organizations around the world, including 425 of the Fortune 500, the 10 largest telecommunication companies, every branch of the US military, and US government agencies such as the NSA, State Department, the Pentagon, Department of Justice, and the White House. As such, The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."

The nation-state actor compromised the SolarWinds Orion solution and built a back door into Orion as early as March 2020. This was then used to further infect targets upon installing the infected update. As this software was compromised at the supplier level, it was digitally signed with valid signatures and was undetected by Anti-Virus or Operating system protections.

SolarWinds has issued an advisory disclosing that SolarWinds Orion Platform software released between March 2020 and June 2020 has been affected.

How it unfolded, and why monitoring users in the cloud is imperative

Once the victim installed the compromised software, the APT group continued to compromise the network further, using privileged accounts to move laterally and eventually obtain the credentials of a Domain administrator account or the SAML Signing Certificate. This allowed the attackers to move laterally to any on-premises device, or any cloud infrastructure. This level of access could be leveraged to forge new privileged accounts and develop a sturdier foothold within an organization. The attacker has been observed by Microsoft performing Domain Federation trust activities, in order to gain a foothold as well as the previously mentioned techniques to gain foothold and compromise.

Vectra Cognito has several capabilities available to customers who want to investigate or detect if they have been compromised by this attack.

Overview of Vectra’s detections

APT 29’s tools and techniques are highly sophisticated and have gone unnoticed for an extended period of time. The tactics of the group remain similar to previous APT compromises:

1. Compromise host
2. Use Host to steal credentials / elevate privilege
3. Use new credentials to establish foothold in various parts of network
4. Move through cloud environment
5. Steal data

Vectra customers are protected from attacks leveraging the reported tactics and techniques. Below is an overview of Vectra’s AI-driven detections based on the TTP’s.

Detections based on network activity

External Remote Access / Hidden HTTPSTunnel/ Hidden HTTP Tunnel

• C2 communication and interaction with the infected host is expected. This detection will most likely be linked to the domain avsvmcloud[.]com‍

Vectra Threat Intel Match

• Relevant malicious destinations involved in this campaign are monitored in the Vectra Threat Intelligence Feed

RPC Recon / Targeted RPC Recon

• Attackers will use built in Microsoft tools to perform reconnaissance and attempt exploitation against a target

Suspicious Remote Execution

• Attackers will stand up new footholds using implants and remote code execution

Privileged Access Anomalies

• Attackers will leverage service accounts and specifically SolarWinds accounts to move laterally against infrastructure servers
• Attackers will use new accounts with elevated privileges would be generated and used against existing hosts and infrastructure to move through the network

‍Detections based on Office 365 and Azure AD activity

Suspicious Sign-On activity

• Attackers have been known to use cloud accounts to perform administrative actions against organizations infrastructures. Therefore, this detection would trigger if the group were to use the account from somewhere outside of the organization.

AdminAccount Creation

• Attackers have been seen creating Administrative accounts.

Newly Created Admin Accounts

• Similar to the previous detection, this would indicate the use of a newly created account by the adversary
• Suspicious Azure AD Operation
• Attackers have been observed creating new Federation Trusts and preforming other types of high-level Azure AD operations to maintain a foothold

Risky Application Permissions

• Attackers have leveraged malicious applications with expansive permissions to maintain persistence in an environment

What to look for in your environment:

Stream or Recall customers, and those using tools that collect network metadata should immediately search their environment for the following;

Review activity related to the APT29 linked domain in the iSession metadata streams

• resp_hostname:*. appsync-api.eu-west-1.avsvmcloud[.]com (Without the square brackets)
• resp_hostname:*. appsync-api.eu-west-2.avsvmcloud[.]com (Without the square brackets)

Review activity that is unexpected from SolarWinds systems across all metadata

• orig_hostname:(solarwinds_01* OR SolarWinds_01*)

Review activity related to admin AD accounts in the Kerberos_txn metadata

• client:(*admin_account* OR *Admin_Account*)

Review activity related to admin accounts in the NTLM metadata

• username:(*admin_account* OR *Admin_Account*)

Review activity related to admin accounts in the RDP metadata (note that RDP cookies are truncated at 9 characters)

• cookie:(admin_acc OR Admin_Acc)
• The cookie field can also include the domain name before the username, if this seems to be the case, perform searches where a SolarWinds server is the source

Conclusion

SolarWinds urges all customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment, or to disable internet access for the Orion Platform and limiting the ports and connections to only what is necessary.

If you’re ready to change your approach to detecting and responding to cyberattacks like these, and to get a closer look at how  Cognito can find attacker tools and exploits, schedule a demo  with Vectra today.