Cyber Incident Response Manager, Mark Cunningham-Dickie, looks at remediation for affected organisations following the SolarWinds Orion breach.
What’s in a name? Indicators of compromise apparently.
The recent SolarWinds Orion compromise has left many organisations feeling vulnerable. The level of access that threat actors have achieved and the methods and capabilities for moving within a network and spoofing accounts in order to evade detection, makes it difficult to establish what has been compromised, to what extent, and what has been lost as a result.
While each organisation will have been affected in a different way, there are some key components to help confirm compromise and the extent of it. The key to this is going to lie in the methods and sources that an organisation uses to perform external DNS name resolution.
Over the last few days several individuals, institutions and organisations have provided tools which reverse engineer the encoding used to allow the attackers the ability to identify the devices and domains that they have compromised.
By looking at the historical records from the sources of external name resolutions, it is possible to identify the domains and, in some cases, devices that have been trying to contact the command and control servers.
One tool that I have used (there are now several available) to test this and review lists of compromised domains can be found here.
Though it is worth noting, I removed the last three lines and viewed the files directly, and modified the sources in the .bat file to match those of the DNS databases that I pulled.
There are many raw and parsed DNS databases already available online. However, of the ones I have found they mostly refer to the resolutions of “appsync-api.us-…” as opposed to the “appsync-api.eu…” entries which separate out the US compromised networks and the EU compromised networks.
Therefore, if you have been compromised by the SolarWinds Orion malware, reviewing your DNS sources using the method above may help you establish the hosts and extent of your compromise.
Any accounts that have been used to access these devices should be considered compromised and actions that those accounts have performed should be reviewed to determine if additional backdoors have been created as a method or vector for later compromise.
Further useful resources on the subject can be found at:
Method of dumping passwords stored in SolarWinds:
This is also a great overview of the sectors affected and a topographical overlay of the scale and location of compromised organisations:
Original blog posts on the subject: