Guidance and Observations Regarding Cyber Attacks by Nation State Threat Actors - Cyber and Fraud Centre

In this blog, Cyber Incident Response Manager, Mark Cunningham-Dickie gives his views and advice on the Supply chain compromise of organisations via the System and Network Management tool, SolarWinds Orion suite.

Background

Last week it came to light that FireEye, a giant in the world of Cyber Security and SBRC Cyber Incident Response Partner, had been compromised and some of their custom hacking tools had
been stolen.

There’s a few points to make about this story and how it’s developed. First of all, it goes to show that anyone is susceptible.

FireEye hadn’t been lapse in their own security, it was a complicated compromise that utilises never seen before; Tactics, Techniques and Processes (TTPs).

Mandient/FireEye have done exactly the right thing by being open and honest about their compromise, and have even gone as far as providing Indicators of Compromise (IoC’s) for their custom tools, as well as their compromise, so that others can check to see if the same TTPs have been leveraged against them.

It highlights the importance of the forensic aspect of Cyber Incident Response. In presentations that I have given on the subject, I accept that although Incident Response and Digital Forensics (often referred to as DFIR) go hand in hand, the two have competing priorities. Digital Forensics can take time, but Incident Response is about going through the process to recover an organisation to an operational state. As a result, the two often conflict, and sadly because of financial or reputational interests, recovery often takes precedence over digital forensics and investigation.

The compromise

Fortunately, FireEye continued to investigate while also having the capacity to recover. Their investigation has identified the route in for the compromise was via a supply chain attack against a very popular and capable system and network management tool called SolarWinds.

This is massive because SolarWinds is used by companies big and small, as well as government and Critical National Infrastructure (CNI) organisations. It acts as the eyes and ears of systems and networks, allows for remote configuration, backup and patching of systems and devices on the
network.

What to do

FireEye have provided the Indicators of Compromise (IoC’s) (Source: FireEye’s GitHub) to allow others to check to see if they have been compromised. SolarWinds have provided an update and an advisory (Source: SolarWinds) though (at the time of writing) it is unclear if the method used to compromise them has been fully identified and closed off. They are certainly expecting to release further update in the coming days.
Many of the vulnerability assessment tool companies out there have provided plugin updates to their products to identify if you have been compromised.

If you are unsure if you are affected and you use SolarWinds Orion suite , your best course of action is to isolate the SolarWinds server either by disconnecting it from the network (virtual or physical) or by shutting it down completely.

I would not normally advocate this latter option as you lose data from memory, however in this instance, as so many companies and organisations are going to be affected, there are not enough Cyber Security Professionals or Digital Forensic Investigators/Analysist to go around and we’re still in the isolation phase.

Check firewalls and proxies

Start checking your firewalls and proxies for data going to any of the following addresses:

6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com
deftsecurity[.]com
websitetheme[.]com
highdatabase[.]com
incomeupdate[.]com
databasegalore[.]com
panhardware[.]com
zupertech[.]com
freescanonline[.]com
thedoccloud[.]com
avsvmcloud[.]com

or IP addresses:

13.59.205.66
54.215.192.52
34.203.203.23
139.99.115.204
5.252.177.25
5.252.177.21
204.188.205.176
51.89.125.18
167.114.213.199
54.193.127.66

If you see any of these entries in your historic logs, I’m afraid they are some of the indicators of compromise. If you have the capability, deny list the sites to prevent further loss or compromise and start trying to establish how much, and what, data has been exfiltrated from your organisation.

Unfortunately, identifying who/which accounts accessed the sites is not going to be enough. The malware elevates its permissions within an organisation and uses a global admin account or trusted SAML token to impersonate any member of the organisation. Microsoft have posted some guidance and advice regarding the compromise here and some suitable actions to take, though it mostly relates to ongoing detection and monitoring for anomalous behaviour.

Perform firmware integrity checks across your systems, these are Nation State level threat actors and there has been increased targeting of firmware (specifically UEFI). This, combined with the level of privilege that the threat actors have gained, allows them a level of persistence across systems even if they are re-installed: so check and update firmware as well as patching systems up-to-date.

If you have the capacity or capability, implement or increase monitoring across your IT/IS estate. If you don’t know where to begin, user account behaviour will be the best place to start, for example: unusual access or logins to systems or services, times of access, etc.

Wherever possible, implement multi-factor authentication and increase auditing on accounts that cannot make use of it.

Who is affected

Anyone who utilises an affected version of Solarwinds has potentially been compromised. The extent of which will depend on your environment and setup.