So what do we know of the aftermath of Solarwinds?
The attack that was carried out was so extensive that we can’t even begin to grasp the full impact. We are still very much right in the middle of the Solarwinds debacle. The one silver lining is that we have a greater understanding of the importance of security and the role it plays in any organization or home. We also know more, in terms of technical details, as to how the supply chain attack was carried out.
What we learned about the Technical aspects of the attack
The attackers first had to find a way to poison the code library belonging to the SolarWinds Orion platform. More importantly, they were in search of a location to drop the malicious code that would have to be invoked periodically by the Orion platform in order to ensure a higher chance of execution and to maintain persistence. The attackers chose SolarWinds.Orion.Core.BusinessLayer.dll to insert malicious code into, specifically in RefreshInternal. The injected malicious code was so compact and lightweight that it was most likely easily overlooked by internal code review as all it really did was execute OrionImprovementBusinessLayer.Initialize within a parallel thread.
The class naming scheme of OrionImprovementBusinessLayer was used on purposed in order for it to look similar to the actual legitimate code. Unbeknownst to the actual developers, the backdoor almost entirely resides within this class. The attackers were also very careful in using neutral terms in order to obfuscate the malicious nature of the code, and also employed the use of compression and encoded the strings in Base64 in order to further obfuscate the malicious nature. This proved to be a key factor in hiding the malicious code from detection for months.
When the backdoor executes, it runs a series of validations in order to verify the authenticity of the victim. These inspections are carried out in order to avoid detection by test networks such as honeypots. The malicious code checks for a multitude of variables such as last write time, process hosting the dll, a set of criteria to validate that certain strings are not contained within the domain, it even checks for running processes that are security related that could blow its cover, and it also checks that api.solarwinds.com resolves to an expected IP address. Should any of these fail the backdoor verification, it will terminate its own process to prevent it from being found out. The lengths to which the attackers attempted to remain discrete was remarkable.
Like most other malware, the backdoor attempts to contact a C2 (Command and Control) server once it has verified the legitimacy of the victim in order to share details such as system information to the C2 as well as to begin receiving commands from the C2. Another attempt by the attackers to mask their actions was in how the C2 domain was composed and its uniqueness per victim. The C2 domain contains four different parts - three comes from strings hardcoded in the back door while the last one is dynamically generated by hashing the physical address of the network interface, the domain name of the compromised device, and the content of the MachineGuid registry value. This gives each compromised victim a unique C2 domain to contact, allowing the breach to go by undetected for longer periods as there is never a single similar C2 domain that all the compromised victims will contact. When successful, the C2 sends a series of data containing commands the backdoor then executes. The result is that the backdoor gives the attacker the ability to enumerate the compromised system, while also being able to control processes and registry with full read and write access.
From here the attackers would then follow a more or less standardized process of privilege escalation to gain more access and more control from within the victim's network. The attackers would also attempt to move laterally by employing remote task creation via powershell, while persistence was achieved through the use of various techniques such as powershell commands, and stage 2 payloads.
Conclusion
The level of care placed in order to obfuscate the malicious code and its various components was remarkable. The malware was carefully and painstakingly coded in order to avoid detection for as long as possible. Additionally, the target for the supply chain attack where the initial malicious code was injected was cautiously hand-picked in order to achieve maximum effect. Finally, the patience of the attackers were alarming and professional. The result was one of the largest breaches of multiple private, public, and government systems. This was a supreme example of the dangers of a cautious, disciplined, and knowledgeable malicious actor that the world should be wary of.