/sunburst-hunting

Meant to aid other responders; indicators and hunting techniques to identify SUNBURST compromise and establish scope and summarized analysis and links to additional resources.

Creative Commons Zero v1.0 UniversalCC0-1.0

sunburst

This repository contains NBI and file hashes to help researchers detect SUNBURST. Many different organizations are providing hashes others aren't. This is just an attempt to compile all indicators, some hunting techniques, and some summarized analysis of the reports available for responders to hopefully help fellow responders with our work.

View VirusTotal Infrastructure Graph

I am pulling the unique hostnames form multiple sources and compiling the list at sunburst-hunting/indicators/uniq-hostnames.csv. We contacted organizations we had contacts for while we learned who may have been a stage 2 target but wanted to wait several weeks until other open sources provided lists of affected organizations. Now that others are publishing these targets we also have created a list to help those who wish to see if their organization is known to be affected at sunburst-hunting/decoded_names_and_potential_organizations.csv.

Most of these NBI provided to help researchers and threat hunters can be used as high confidence. This is except the indicators provided by John Bambenek shortly after Sunburst which appears now to be unrelated to Sunburst activity or even to UNC2452. This list was dumped from Open Source Contex Data-Library. It includes redirects and isn't curated to only include Sunburst content. It is not advised to use production tools to identify or scope the Sunburst incident. The repo's name is 'research' and it is likely intended to used for just that.

The file hashes are known compromised, high confidence.

Attribution

FireEye is tracking this adversary as UNC2452, but some have conjectured that this may be activity from the recently dormant APT29 / Cozy Bear. At this time, not enough information is available to confirm that APT29 is behind this attack.

Execution

Execution The backdoor infected .dll in the SolarWinds install directory, when executed, installs the implant as a Windows service and .dll file in the following directories.

SolarWinds DLL in install folder

PROGRAMFILES\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll

Main implant

WINDIR\System32\config\systemprofile\AppData\Local\Assembly\tmp$varriable_folder_name$\SolarWinds.Orion.Core.BusinessLayer.dll.

Period of Dormancy

Period of Dormancy After a dormant period of around two weeks, it executes commands, called Jobs, including various capabilities such as the ability to profile the system, reboot the machine, disable services, transfer files, and load additional malware. The malicious DLL communicates to avsvmcloud[dot]com using DGA subdomains to prepare possible second-stage malware, accomplish lateral movement, or exfiltrate data. It masquerades its network traffic as the Orion Improvement Program protocol. It stores obtained recon data in legitimate plug-in config files. Its actions all intend to mimic the activity expected from Orion.

Second-Stage Payloads

Along with SUNBURST, samples have been observed dropping a memory-only dropper called TEARDROP, which was used to deploy Cobalt Strike beacons, a popular tool by many of our adversaries.

Implant Sunpot

Malware to insert the SUNBURST backdoor into Orion software. It replaces a source file that includes the backdoor.

Command and Control (C2)

As noted, the adversaries use domain generated algorithms (DGA) to build subdomains of the avsvmcloud[dot]com. This communication can be used for the additional payloads or to exfiltrate data. Hostnames have matched those found monitored by the victim’s Orion instance. It appears that the adversary will also use VPS infrastructure hosted in the same country as the victim.

Security Advisories

LATEST: CISA Alert: AA20-352A

SolarWinds Security Advisory - SUNBURST
Continually Updated SolarWinds Security Advisory
DHS - Emergency Directive 21-01

Resources and Recognition

FireEye White Paper: SUNBURST Backdoor
VOLEXITY: Dark Halo
Microsoft Customer Guidance SUNBURST
Threat Advisory: SolarWinds supply chain attack
SolarWinds SUNBURST Backdoor
unit42: SolarStorm and SUNBURST Customer Coverage
TrustedSec SUNBURST
Reversing Labs: SunBurst: the next level of stealth
CrowdStrike Sunpot Malware

Change in Perspective on the Utility of SUNBURST-related Network Indicators Special thanks to John Bambenek @bambenek who started with identifying NBI beyond initial scope of FireEye published indicators and @RedDrip7 for starting work on the python script.