SUNSPOT malware spotted in SolarWinds
Wow, it’s been a minute. I hope everyone had a happy new year. Let’s get this party started.
This week, we’re giving an update on the SolarWinds hack and some dangerous Windows vulnerabilities from the first Patch Tuesday of the year.
In December 2020, we covered a breach of SolarWinds impacting SolarWinds Orion customers with a complex supply chain attack. We’ve got a few updates for you this week.
CrowdStrike has supported SolarWinds in its investigation and root cause analysis of the events that led to the inclusion of unauthorized malicious code into its build cycle.
In coordination with SolarWinds, CrowdStrike has provided analysis on SUNSPOT, a malicious tool that was deployed into the build environment to inject this backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product.
Although it is just now being discussed, SUNSPOT preceded SUNBURST in the SolarWinds breach. Here’s what you need to know:
- SUNSPOT malware was used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
- SUNSPOT monitors running processes for those involved in the compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
- Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
- Analysis of a SolarWinds software build server provided insight into how the process was hijacked in order to insert SUNBURST into the update packages. The design of SUNSPOT suggests developers invested a lot of effort to ensure the code was properly inserted and remained undetected, prioritizing operational security to avoid revealing their presence in the build environment to SolarWinds developers.
We can assume this is not the last piece of malware we’ll discover related to the attack. Something preceded SUNSPOT and has yet to be disclosed.
In other SolarWinds breach news, CISA updated its original advisory. CISA confirmed that the SolarWinds hackers also relied on password guessing and password spraying as initial access vectors.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133],” the agency said on Wednesday.
Once threat actors gained access to internal networks or cloud infrastructure, CISA said the hackers, believed to be Russian in origin, escalated access to gain administrator rights. They then moved to forge authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources inside a company’s network without needing to provide valid credentials or solve multi-factor authentication challenges.
In a report published on December 28, Microsoft said the threat actor’s primary goal was to gain access to cloud-hosted infrastructure, which in many cases were Azure and Microsoft 365 environments.
Data stolen from SolarWinds and SolarWinds customers is being offered for sale online, although it could be someone trying to capitalize on the high-profile breach.
The solarleaks[.]net domain was registered on January 10, 2021, by TUCOWS, INC. and is currently hosted by Rook Media GmbH, AS40034.
At the time, DNS records showed that 185.193.126[.]236 resolves to the solarleaks[.]net domain whose content is replicated across at least one other domain, tezuvhalazdar[.]org, supporting the same signed message as that which threat actors uploaded to solarleaks[.]net. On the website, unidentified individuals claimed responsibility for the SolarWinds breach and offered multiple data sets for sale:
Microsoft Windows (partial) source code and various Microsoft repositories
Data: msft.tgz.enc (2.6 GB)
Cisco multiple products source code + internal bug tracker dump
Data: csco.tgz.enc (1.7 GB)
SolarWinds products source code (all including Orion) + customer portal dump
Data: swi.tgz.enc (612 MB)
FireEye private red team tools, source code, binaries, and documentation
Data: feye.tgz.enc (39 MB)
The asking price for all the leaked data is $1 million. solarleaks[.]net also claims that they “aren’t fully done yet” as they want to “preserve the most of our current access,” and this should be considered the first batch of data available for sale.
Threat actors advised that they were willing to provide proof upon request and shared the email address solarleaks@protonmail[.]com as a point of contact. According to this post on Twitter, the threat actors refused to share any additional information to support their claim with a journalist.
Joseph Cox, a journalist and a security researcher, stated that he found the hidden service version of the solarleaks misconfigured server, letting you see connecting IPs — some exit nodes and residential IPs, an American university, and a server linked to automated hack attempts.
Some security researchers received the solarleaks offer with suspicion and suggested that it is either a scam or a misinformation campaign similar to the Guccifer 2.0 actions. Previously, FireEye released YARA rules, making the red team tools binaries unfit to use, but the source code leak creates a potential for obfuscation and further development of it.
First Patch Tuesday of 2021
On Tuesday, January 12, 2021, Microsoft announced 84 vulnerabilities, 10 being critical, and one that is being exploited in the wild.
CVE-2021-1647, a vulnerability in Windows Defender that impacts Windows 7 through Windows 10 and Windows Server 2008 through 2019. The vulnerability is a Remote Code Execution (RCE) vulnerability that is being exploited in the wild, according to Microsoft.
The Microsoft Malware Protection Engine automatically updates, so no action is required to update.
CVE-2021-1709 is an elevation of privilege vulnerability in the Win32 kernel that is labeled Important. The vulnerability exists in Windows 8 through 10 and Windows Server 2008 through 2019. This type of vulnerability has been exploited quickly in the past. It took only nine days for attackers to start selling exploits for a similar vulnerability, CVE-2019-1458, on underground markets.
CVE-2021-1648 was publicly disclosed by Google Project Zero. It is an elevation of privilege vulnerability, classified as Important, in the splwow64 process. The vulnerability impacts Windows 8 & 10 as well as Windows Server 2012 - 2019, and exploits against this vulnerability have not been observed in the wild yet.
Another critical vulnerability is CVE-2021-1665, an RCE vulnerability in Microsoft’s GDI+ component. The vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2019. This vulnerability is worth remembering because it impacts Windows 7, which is no longer supported.
Finally, there are five newly released critical vulnerabilities in Microsoft’s Remote Procedure Call (RPC) Runtime. CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, and CVE-2021-1673 vulnerabilities exist in Windows 8 through 10 and Windows Server 2008 through 2019.
The full list of vulnerabilities for this Patch Tuesday is available from Microsoft, organized by active exploitation first and the likelihood of exploitation second.
That’s all for this week.