Downloaded 13 times
![ASSOCIATED
[T+AVs]
TRUNCATED
Backdoor stopped
PASSIVE
[domain[:15],
domain[15:]]
Potential Target,
Response magic A record
Not interesting
ACTIVE
Backdoor on HTTP
[T+AVs + Active bit]
Select Target,
Response HTTP C&C server at CNAME
DGA Encoding method for PASSIVE state
DGA Encoding method for ASSOCIATED/ACTIVE state](https://image.slidesharecdn.com/hitconfreetalkfinal-210317042326/75/HITCON-FreeTalk-2021-SolarWinds-19-2048.jpg)
![ASSOCIATED
[T+AVs]
TRUNCATED
Backdoor stopped
ACTIVE
Backdoor on HTTP
[T+AVs + Active bit]
Select Target,
Response HTTP C&C server at CNAME
DGA Encoding method for PASSIVE state
DGA Encoding method for ASSOCIATED/ACTIVE state](https://image.slidesharecdn.com/hitconfreetalkfinal-210317042326/75/HITCON-FreeTalk-2021-SolarWinds-22-2048.jpg)
Uploaded byHacks in Taiwan (HITCON)
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
The document discusses the SolarWinds supply chain attack, detailing its impact, methodologies, and the importance of threat intelligence in identifying and mitigating such threats. It outlines the sophisticated nature of the malware used, specific incidents related to the attack, and the lessons learned regarding supply chain security vulnerabilities. The presentation also emphasizes proactive threat hunting and the collaboration within the security community to respond to advanced persistent threats.
More Related Content
Similar to 【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
![NSA's panic. JetBrains [EN].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/nsaspanic-240526105710-c67503f4-thumbnail.jpg?width=640&height=640&fit=bounds)
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
- 1. SolarWinds Hacked - findthe targets ZY WU & CK Chen
- 2. About ZY Wu • Threatanalysts at Fox-IT intel team • Malware analysis & threat intel • Find me at zong-yu.wu@fox-it.com CK Chen • HITCON Member • HITCON 2021 Review Board Chairman • Researcher, focus on malware analysis, APT investigation and threat intel
- 3. Agenda • What happened? •Define the supply chain attack • Impact Assessment – Finding the targets • How special it is?
- 4. Kudos to Danny atFox-IT YJ at TrendMicro Anonymous Hamster at Exercise wheel
- 6. CrowdStrike release SUNSPOT investigation report 2021.01.11 2021.01.13 CISA: bypassMFA in cloud services FireEye released Remediation for Microsoft 365 2021.01.19 2021.01.19 MalwareBytes claim to be hacked Microsoft Deep dive into the Solorigate second-stage activation 2021.01.22 2021.02.18 Microsoft Internal Solorigate Investigation – Final Update Microsoft, FireEye New SUNSHUTTLE Backdoor Targeting U.S.- Based Entity 2021.03.04 FireEye hacked, Red team tools leaked 2020.12.09 2020.12.13 CISA issued emergence directive WSJ, REUTERS U.S. Treasury and Commerce departments Hacked 2020.12.13-14 2020.12.15-18 Second malware Supernova discovered Microsoft, FireEye, GoDaddy establish killswitch 2020.12.17 2020.12.17 Microsoft report potential victims Microsoft confirmed source code stolen 2020.12.31 2021.01.05 CISA, DNI, NSA suspect the actor is Russia-based Department of Justice confirmed hacked 2021.01.06
- 8. AB (A %verb% B) TargetSupplier Attacker Target Afraid of (the insider) Relied on Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
- 9. Advantage of exploitingSupply Chain • Abuse the trust between supplier and targets • It is possible to find a weaker supplier among those • Compromising a whole range of companies if the major supplier in a sector is taken
- 10. Attack Against CodeDev. Commit -> Build (Signing) -> Test -> Deploy Commit -> SUNSPOT injects SUNBURST -> Build (Signing) -> Test (SUNBURST stay low) -> Deploy -> SUNBURST’s party time
- 11. Impact Assessment • Morelikely espionage purpose, but this is tough to do impact assessment. • In this presentation, I invite you to take a journey with me to picture targeted industry.
- 12. Malwares on theDesk SUNSPOT (injector) SUNBURST (Beacon) TEARDROP (Loader) RAINDROP (Loader) GoldMax Inside SolarWinds Running at Victims’ Env. SiBot GoldFinder CobaltStrike
- 13. SUNBURST under X-Ray •The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env.
- 14. SUNBURST under X-Ray Themalware use customized FNV-1A hash algorithm to store resources:
- 15. Malware stays lowunder these AD domains: It checks antivirus driver/process/service and analysis tool as well. https://github.com/fireeye/sunburst_countermeasures/blob/mai n/hashcat.potfile swdev.local saas.swi emea.sales dmz.local pci.local lab.local apac.lab dev.local swdev.dmz lab.rio cork.lab lab.brno lab.na test Solarwinds SUNBURST was coded like a legitimate class, for example: Encode Process Name in fact Mimicking the legitimate traffic on the Platform
- 16. SUNBURST under X-Ray •The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env. • The callback domain is generated by victim information on DNS protocol. • Stage 1 – on DNS to get the HTTP sever • Stage 2 – on HTTP for the backdoor
- 17. • There areup to 4 different types (2 encoding x 2 input), giving an example: 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com SUNBURST Callback Protocol Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. -> The AD domain can be retrieved by a DNS query! -> Reverse Engineering to decode
- 18. SUNBURST Callback Protocol •DNS traffic, for those are not running on SSL, is not encrypted • It is possible to gather the domains which were been queried at a certain time by listening the network traffic from the internet backbone. • This dataset is called Passive DNS record.
- 19. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped PASSIVE [domain[:15], domain[15:]] Potential Target, Responsemagic A record Not interesting ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
- 20. Searching the victims(in PASSIVE mode) 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. Prefix Fixed Random C&C 15 Encoded GUID 06a4ea63c80ee24a us Add up to scc.state.va.us DGA Encoding method for PASSIVE state
- 21. Unique entry # PASSIVE28,737 ASSOCIATED 7,029 ACTIVE 119
- 22. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped ACTIVE Backdoor onHTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
- 23. Searching the targets(in ACTIVE mode) 9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 8 3 else GUID Meta Running Antivirus 06a4ea63c80ee24a mode=1 active=1 timestamp=2020-05-31 12:00:00 The GUID is mapped to scc.state.va.us DGA Encoding method for ASSOCIATED/ACTIVE state
- 24. Searching the targets(in ACTIVE mode) scc.state.va.us central.pima.gov mgt.srb.europa fc.gov ddsn.gov phpds.org central.pima.gov Government HQ.FIDELLA lagnr.chevronte xaco.net coxnet.cox.com Energy ng.ds.army.mil nsanet.local Defense corp.qualys.com paloaltonetworks.com logitech.local wctc.msft ggsg-us.cisco.com cisco.com fox.local Tech/CyberSecurity
- 25. AB (A %verb% B) TargetSupplier Attacker Target Afraid of (the insider) Relied on & Afraid of Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
- 26. Software Supply Chain While betterdefense mechanism is deployed, threat actor move their target to the weakest point of supply chain More complicated software -> more complicated supply chain We talk a lot about supply chain, so… What’s the supply chain of you daily used software?
- 27. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing In side your program, do you know where is every component come from? Every step here is possible to be compromised
- 28. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing Stack Overflow Considered Harmful?The Impact of Copy&Paste on Android Application Security(2015)
- 29. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing Malicious event-stream backdoor (2019) Ruby strong_password Backdoor (2019)
- 30. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing XcodeGhost (2015)
- 31. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing CCleaner Attack (2018)
- 32. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing Operation GG(2015)
- 33. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update DispatchDynamic library Executables Loader Executing
- 34. APTs Utilize SupplyChain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. ASUS Shadow Hammer(2019) Discovered by Kaspersky ASUS Web Storage(2019) We discover this operation in the same time as ESET
- 35. APTs Utilize SupplyChain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. SolarWinds Supply Chain Attack (2021)
- 36. Highlight TTPs • SupplyChain Attack: Large number of enterprises are potential victims • Compromise DevOps: Keep Stealthy in Develop Environment • Sophiscated Malware: Separate the Malware’s Execution Path • Attacking the Cloud Service
- 37. Attacking the CloudService • Lateral movement from on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment • Golden SAML Attack • Modify Trusted Domains • Hijack Azure AD Applications • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365
- 38. Mitigation • Threat Huntingfor Malicious IoCs • FireEye’s Red Team Tool IoCs • SunBurst IoCs • CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations” • Summary about the IoCs • https://shorturl.at/fxKTV
- 39. Mitigation • Mandiant AzureAD Investigator • https://github.com/fireeye/Mandiant-Azure-AD-Investigator • CISA “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services” • https://github.com/cisagov/Sparrow
- 40. Lesson Learned • Whilebeing compromised is hard to avoid, proactive threat hunting and response to the incident. • Communicate and share with security community • Sophiscated APT attacks • Supply Chain Attack • Compromised DepOp Process • Laverage cloud service attacks • Supply chain security will still be the loophole for enterprises’ security • Using threat intelligence, e.g. PDNS, to help us understand threat actor’s targets • Cloud Services become a new attack vector for LM
- 41.