Sophos Solarwinds

  

Solarwinds N-Central Upload of the AMP File. Logon to Solarwinds N-Central and under Actions click on Start Automation Manager. If you already have the Automation Manager installed simply launch, if not you will need to install the Automation Manager Software. Applies to the following Sophos product(s) and version(s) Sophos UTM, Sophos UTM Manager Integration with SNMP SNMP can be divided into two categories: traps and queries. Traps are notifications sent proactively from the UTM or UTM Manager to the monitoring product. These allow monitoring products to be alerted immediately when an event occurs. Sophos Endpoint connectors My employer uses Sophos endpoint for security and there are currently no connectors for this, I would like to be able to monitor my antivirus via solarwinds but none of the connectors currently available support it. SolarWinds Server Configuration Monitor (SCM) is designed to quickly reveal when server, application, or database configurations change, who’s changing them, what changed, and performance impact—helping you have the necessary visibility to troubleshoot faster, improve security, and demonstrate compliance.

FireEye said it’s identified a killswitch that prevents the malware distributed through malicious updates to SolarWinds’ Orion network monitoring tool from continuing to operate.

The breakthrough comes just a day after KrebsOnSecurity reported that Microsoft had taken control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates. FireEye named the malware distributed through trojanized SolarWinds Orion updates SUNBURST.

“Under certain conditions, the malware would terminate itself and prevent further execution,” a FireEye spokesperson said in a statement. “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com.”

[Related: $286M Of SolarWinds Stock Sold Before CEO, Hack Disclosures]

FireEye said its ability to prevent SUNBURST from continuing to operate depends on the IP address returned when the malware resolves avsvmcloud[.]com. The Milpitas, Calif.-based platform security vendor cautioned that, in the intrusions its seen, the state-sponsored hackers moved quickly to establish additional ways of accessing the victim networks beyond the SUNBURST backdoor.

The killswitch identified by FireEye won’t remove the hackers – who The Washington Post said are with the Russian intelligence service – from victim networks where they’ve established other backdoors, according to the company. But it will make it more difficult to for the hackers to leverage versions of SUNBURST that were previously distributed to victims.

FireEye said it worked with Microsoft and GoDaddy to deactivate SUNBURST infections. GoDaddy is the current domain registrar for the malware control servers used by the SolarWinds hackers, according to KrebsOnSecurity. GoDaddy told CRN in a statement Tuesday that it had worked closely with FireEye, Microsoft and others to help keep the internet safe and secure.

Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients, according to KrebsOnSecurity. Given their visibility into and control over the malicious domain, Microsoft, FireEye, GoDaddy and others likely now have a decent idea which companies may still be struggling with SUNBURST infections, KrebsOnSecurity said.

Trump administration officials acknowledged Monday that federal agencies including the State Department, the Department of Homeland Security, and parts of the Pentagon had been compromised, according to The New York Times. Reuters reported Sunday that the Treasury Department and The Commerce Department’s National Telecommunications and Information Administration were breached.

The victims have included government, consulting, technology and telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote in a blog posted Sunday. The researchers said they anticipate there are additional victims in other countries and verticals.

The hackers behind the SolarWinds attack went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection, FireEye CEO Kevin Mandia wrote in a blog post Sunday. The adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools, according to Mandia.

The malware inserted into SolarWinds Orion masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.

Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection, FireEye said. The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.

Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access, the threat researchers said. And once legitimate remote access was achieved, FireEye found that the hackers routinely removed their tools, including removing backdoors.

** We will continue to update this article with additional information as it becomes available. Check back here and GitHubregularly for further updates. ** 

For security teams who have SolarWinds in their environment looking to initiate incident response, we’re providing the following playbook, based upon our initial understanding of the threat, as an aid to help you investigate any potential attack. The information presented may not be complete or eliminate all threats, but we expect will be effective based on our experience. As more information becomes available about the threat, recommended steps may change or be updated.

This response process may need to be customized for your environment and is based upon the following assumptions:

  1. Ability to establish when the vulnerable component was introduced into the environment and log coverage for that period.
  2. Assume adversary had access to all accounts and credentials utilized by SolarWinds Orion server and the capability to assume the identity of any administrative or related accounts.
  3. Assume adversary had the capability and network access to maintain a C2 channel to SolarWinds Orion server.
  4. Ability to determine that no accounts used by SolarWinds, nor accounts used to access the SolarWinds Orion server had full domain administrative rights.
  5. Ability to determine that no active malicious activity occurred relating to the vulnerable component based upon currently available IOCs and detections.

If you find evidence of malicious activity or if you are not able to arrive at some of the baseline conclusions described here,Sophos recommends initiatingyour full incident response procedures or reaching out for external assistance.

Hunt for impacted SolarWinds instances

Endpoint queries

Sophos EDR/Osquery:Detection queries

Sophos Intercept X:

Sophos AppControl detects all versions of SolarWinds Orion as “SolarWinds MSP Agent”

Labs detections: List of detections and IOCs Dps6 transmission.

Sophos

Manual (example):

PS C:Windowssystem32> Get-FileHash C:OrionSolarwinds.Orion.Core.Businesslayer.dll Format-List

Algorithm: SHA256

Hash: CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6

Path: C:OrionSolarwinds.Orion.Core.Businesslayer.dll

Network queries

SolarWinds can be detected via network monitoring by looking for call-homes made by its updating service. The following Zeek IDS searches may also help: SIEM Searches.

Note:You may only see outbound connection from your main SolarWinds instance not pollers.

Identify malicious SolarWinds components

Endpoint indicators

Sophos Intercept X / Central Endpoint Protection:

SophosLabs contains both detections for the malicious component and the additional signature that indicate active exploitation. Sophos has also blocked all associated IP and domain indicators for its customers. See GitHub for detection names.

Sophos EDR/OSquery: Detection queries

Network indicators

Sophos has also blocked all associated IP and domain indicators for its XG and SG customers. If you have additional network telemetry the following searches may also be of use: SIEM Searches

Sophos solarwinds orion

Note: The attacks communicate toC2 via TLS so a file hash hit is unlikely unless you intercept TLS.

Prepare for forensics

If possible, snapshot all affected hosts with impacted versions of Orion installed.

Ensure that snapshotting processes also capture memory.

  • VMware: https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.html.hostclient.doc/GUID-A0D8E8E7-629B-466D-A50C-38705ACA7613.html
  • Hyper-V: https://support.citrix.com/article/CTX126393

A lightweight forensic acquisition can also be performed using the “Forensic snapshot” feature of Sophos EDR.

Scope potentially compromised accounts

Potentially impacted accounts are:

  1. All accounts SolarWinds used for network monitoring, this includes Windows local accounts, domain accounts, SNMP, SSH, etc.
  2. All other accounts used on the affected SolarWinds Orion Servers. These include all administrative logins (e.g. EventCode 4624) to the server and any local or service accounts. (e.g local SQL database account.)

The following table can be used to document all potentially impacted accounts:

UsernameDescProtocolDomainDomain AdminServer admin/rootScopeNotes
(fully-qualified username/UPN) Brief overview of what it’s used by Windows/KRB/NTLM SNMP SSH etc (y/n) (y/n) What hosts this is applicable to
Sophos solarwinds webinar

Identify high-value attack paths for potentially compromised accounts

Sophos Solarwinds Antivirus

For all potentially compromised accounts listed above, identify other high-value systems (e.g. domain controllers, Active Directory Federation Services, and Azure Active Directory Connect servers) to which they had access.

  1. Evaluate local system authentication logs for anomalous activity from compromised accounts.
  2. Bloodhound can also be used to map out access of any potentially impacted accounts.

If servers or accounts involved in federated authentication (e.g. ADFS servers) were potentially impacted, refer to Microsoft’s customer guidance and develop an appropriate additional containment strategy.

Solarwinds

Containment and eradication

Warning: these steps assume a desire to preserve the environment for further forensic investigation and may have an impact on production environments.

Sophos Solarwinds Webinar

  1. Isolate all SolarWinds Orion instances from the network:
    1. Instant isolation can be performed at the host level using such controls as Sophos EDR via Sophos Central.
    2. Host-based isolation should be backed up by network–based isolation. Systems should be migrated to an isolated non-routable VLAN with console access only (migrating to a VLAN helps preserve network state for future forensics).
  2. Perform credential reset or disable and recreate all potentially impacted accounts:
    1. Important: Ensure that no fresh or reset accounts are used to access any compromised infrastructure.
  3. Rebuild fresh monitoring servers from known-good sources ready for release of Orion platform version 2020.2.1 HF 2, which is planned for release on Tuesday, December 15, 2020.
  4. Consider taking forensic snapshots and rebuilding additional exposed hosts, including:
    1. Any hosts running the SolarWinds agent.
    2. Any hosts for which potentially compromised accounts had access rights.