SolarWinds is a publicly traded company worth $5.4B dollars that developing IT infrastructure management software products for small and medium-sized enterprises. Two separate pieces of malware known as SUPERNOVA and SUNBURST worked against vulnerabilities in SolarWind’s product Orion. The malware known as SUNBURST potentially allows an attacker to compromise the server on which the Orion products run. The manner in which SUNBURST malware was used against its victims resulted in it being labelled a “supply chain attack,” a technique in which an adversary uses malware to disrupt a companies ability to produce or deliver it’s products to customers.
Although the term “supply chain attack” a broad term without a universally agreed upon definition, theoretically, the intended target of a supply chain attack is not necessarily the company whose network was breached and disrupted. For example, if an attacker wanted to disrupt operations of a large retail target such as Walmart, the suppliers on which Walmart depends on could serve as easier targets, and have the effect of disrupting Walmart’s business. However, the term can also simply refer to an attack (not even necessarily a malware based attack) that impacts the ability of a company to produce or deliver its products or services.
The situation has cost SolarWinds at least $18 million in the first three months of 2021, and dropped their share price about -13%. Long term costs estimated at $100B and exposed 18,000 clients. Which includes several US-based Fortune 500 companies and some agencies of the US and British governments.
In December 2020 cyber-security CrowdStrike was contracted buy SolarWinds to uncover the source of malware in its build-cycle. From information on the SolarWinds website, combined with information from the CrowdStrike Research and Intel blog it seems that inclusion of unauthorized malicious code resulted in malware implanted into SolarWinds Orion software through SolarWinds own development operations department. The malware found in the build-cycle process was named SUNSPOT by CrowdStrike. SUNSPOT acts a stage 1 trojan that downloads and installs SUNBURST. SUPERNOVA acts as a worm by attempting to spread the malware.
So we have:
- SUNSPOT – Trojan operational in the SolarWinds development environment
- SUNBURST – Malware being inserted by SUNSPOT into the SolarWinds Orion software product at each compile time
- SUPERNOVA – Worm enabling web-shell allows lateral pivoting through a compromised network (threat actors are believed to be different)
- SUNSHUTTLE – Second-stage backdoor
According to CrowdStrike the SUNSPOT malware grants itself Windows debugging privileges by modifying its security token to add SeDebugPrivilege. An article on the Microsoft development blog, describes SeDebugPrivilege as the equivalent of granting system administrator privileges which allows SUNSPOT to read other processes’ memory contents. SUNSPOT continuously looks for Microsoft Visual Studio development tools process “MsBuild.exe” and if found, SUNSPOT smartly confirms whether Orion is the software package being compiled. This is done by examining the command line arguments provided by MS Visual Studio to the compiler. If the Orion package is being compiled, SUNSPOT then modifies the source code files before they are compiled, and then replaces the original source files after compiling.
Once Orion has been installed onto a customer’s machine SUNBURT malware sleeps on the victim computer for several days. SUNBURST also looks for processes of well-known security software such as virus-scanners and network anomaly detection, and attempts to shut down any known security software.
RELATED CISA advisory and remediation