 Time here from LearnSystems. It is December 14th, roughly a little after 9 a.m. Eastern Standard Time, and time matters because this is what we know right now about the SolarWinds compromise. Specifically, we're gonna start with what got compromised because I think we need to get that away because yes I do use SolarWinds, but no, I don't use this particular product. One platform to rule your IT stack is a great slogan and maybe what attracted these threat actors, even more so what attracted them of the fact that this particular tool, the SolarWinds Orion platform, is prolific. It is used by governments. It is used by, well, most of the companies in the Fortune 1000 list probably have this running. I believe I've seen somewhere 400 out of the 500 Fortune 1000 companies have said they run it. They've got a really extensive big customer base. It is a actually really good product. That's also what makes it a really big target. Now, as I stated to our knowledge, and as of the time I stated here, we know that this was compromised. That's a fact right now. There is no absolutes in anything, but to our knowledge, there has been no attack on the SolarWinds MSP tool. That is a separate stack, a separate tool. Even though yes, SolarWinds is a massive big company with lots of employees, it doesn't mean if you got into one spot, you got into all the spots. Also, what the attackers were after gives us a little bit of an idea of whether or not they're just trying to be some ransomware gang and deploy this, or are they trying to be someone who performs espionage more along those lines is what we're thinking here because they did a lot to hide the fact that they did anything. As a matter of fact, this was kept quiet for so long, the compromise appears to have happened all the way in March 2020, and we're only finding out about it now in December. They've done everything they can, these threat actors, to keep this under wraps. Now they're burned, and now everyone's reversing, figuring out where this attack occurred, going through logs, finding out any of this stuff, and that's what we're going to dive into is what this attack is. As I stated, it does not appear to be anything related to the SolarWinds MSP. It is very focused because SolarWinds actually has a large array of products. It is very focused on one specific product. As a matter of fact, a very niche inside that product compromise that is very careful about the targets it chooses. Let's dive into this. FireEye has an absolutely solid and detailed write-up, so that's a great place to start here, not any of the news that, well, doesn't always understand technology. The people at FireEye get it, and yes, I'm aware they got it a few days ago, but that doesn't mean that they don't still do really top-notch research to fight the fact that they and themselves were the subject of a cybersecurity incident. They're also a big company. They do really good intel work. Therefore, they got a big target on their back as well. It doesn't compromise the fact that their research is a really solid write-up here. Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with Sunburst Bactora. I like the name Sunburst playing on the SolarWinds. They have an executive summary. We have discovered a global intrusion campaign. We are tracking these actions behind the campaign as UNC-2452. When you don't know attribution, a name and numbers are signed, and now all the fun of attribution starts. I say fun of that because it is a very speculative in the beginning. You have to look at what they're after, where they came from, how they obscured things, maybe some code signatures, and it's not an easy thing. Doesn't mean InfoSec Twitter is not having a great time speculating and pointing fingers and posting memes, and I'll admit to participating in that, but we're going to stay with the facts over here at FireEye, and we're going to list Microsoft as a source as well. FireEye discovered a supply chain attack, Trojanizing SolarWinds Orion Business Software updates in order to distribute malware we call Sunbursts. Now specifically, this was in the updates. We don't know that they got inside of and compromised, let's say an employee at SolarWinds. We don't know if they compromised an employee's computer and injected things in there. There's a lot of speculation around that, and it's not going to come out right away exactly what happens. It's going to take some time, some investigation. They're going to be very, very thorough, because you really don't want to blame an employee for a global attack when maybe just their computer was compromised, maybe something happened in an individual, but obviously supply chain attacks are really tough to do and really tough to defend against as well. And what I mean by that is any well-funded threat actor can actually just buy off employees. Not everyone in people have high standards of morals, and it's not as easy as people might think, but if you have a disgruntled person there, yeah, that's obviously a potential. We've seen this happen at Tesla earlier this year when a million-dollar bounty was offered to someone inside to compromise Tesla's systems and even gave them a $10,000 deposit. Now the good news is we know about this because the person also contacted authorities and busted the threat actor trying to espionage them, but these attacks are real. They happen, and sometimes we don't know when they happen to someone just exiled data and it was an espionage because it wasn't used for an attack, so it happens quietly when you don't even know. This is actually crazy because it happened, like I said, all the way in March of 2020, and here we are in December just now talking about it. Now all the updates and signatures are out, so if you haven't updated, go update, and your security tool stacks should be finding all these as well. Now let's dive into a little bit of what this does and why it was so hard to detect, because a lot of people are wondering why it was so hard, and we'll dive into it. There's actually a lot of trickiness because they did a lot to evade any type of detection. Fire Ryan covered widespread campaign that we are tracking as UNC 2452 actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to the SolarWinds, Orion IT monitoring, and management software. The campaign may have begun as early as spring 2020 and is currently ongoing. Post-compromise activities following supply chain compromise have included a lateral movement and data theft. The campaign is the work of highly skilled actor and the operation was conducted with significant operational security, as in they don't know who these people are and it's really crazy how much obscurity. We'll get into that in a second, but the back door itself, you're wondering why, why didn't the antivirus companies just pick up some change in a file? And this is the answer right here is the digital information. The digital sensor is okay. That is not what you want to hear when you know something has a known vulnerability and known compromise trojan back door. So this right here is the fact that they stole access. They were able to get signing so they could sign the code that was malicious as if it was from SolarWinds. This is why it's referred to as a supply chain attack because that trust from the SolarWinds cert came down and you go, I can just trust it. It's from SolarWinds, a company that well, we didn't know was compromised and this is actually true for all the different signing certificates. Matter of fact, there's been other times when people work really hard to get these signing certificates and there's been some compromises when someone figured out a way to fool it before in Microsoft a while back and that's why that was such a serious vulnerability itself. So because once it's been signed that kind of puts it to rest that we know whatever code is in there because it's closed source and we don't really know what it's doing. We can only look at its behavior, but that's not reason to flag it. We said, they signed it. They are a trusted source. Therefore, we'll trust them. This is the same reason you let employees in. They're trusted. You let them in. You don't let the general public wander around in your network. Same thing. It's kind of the same concept. Now, let's get in depth on the mailware analysis. SolarWinds Orion core business layer.dll is a SolarWinds signed plugin component of the Orion software framework that contains an obfuscated backdoor with communications via HTTP to third party servers. After initial dorm period of up to two weeks, it retrieves and executes command called jobs that include the ability to transfer and execute files, profile the system and disable system services. The backdoor's behavior and network protocol blend in with legitimate SolarWinds activity such by masquerading as a SolarWinds Orion improvement program protocol storing reconnaissance results within the plugin configuration. The backdoor uses multiple blocklists to identify forensic and antivirus tools via process, service and drivers. Now, that's something really to think about here because the question will become, well, don't people monitor the perimeter in what they refer to as the north south of all the ingress and egress traffic and look for some weird domain being used? Not so easy. One, the volume of information is absolutely incredible. Now, as soon as someone finds out a C2, a control server is compromised as bad. Like we know that this is a bad IP address where data goes or a bad domain name where bad data goes. Oh, yeah, that gets in the list. But what if you don't know? What if this tool, one, it sits for two weeks without doing a thing. So if you want to even play with this right now, if you want to download it and load it on your computer, it sits for two weeks without doing anything. So that's going to make it kind of hard. There's timers on it. It looks for other antivirus tools. It probably has a lot of anti sandbox detection tools. And this is what we're seeing in really advanced malware, where it determines if it's any researcher's lab or if it's actually on a important network where it wants to do its thing. Therefore, it's hiding and really hiding well where unless we have a signature to identify it, it's just a normal DLL file that actually because that DLL file still does its normal things, there's no reason to think it's compromised. This is a really skilled threat actor to be able to do this. This is like checking a lot of boxes. And when someone may wonder why did it do HTTP traffic? Well, some monitoring systems just really simply send out HTTP traffic because it looks less suspicious because there's no signing search. It just sends out some data and it looks like some type of analytics data. And we know our tools send a lot of analytics data. Sometimes they have to send analytics data before all of you say, well, shouldn't you turn all analytics data sent by these tools out? No, this is still part of the tool improvement program. And obscuring it kind of flowed in the same stream as that pretty good way to hide it. And also why this took so long to do. So domain names generation algorithm is performed by DNS requests. C name responses point to the C2 domain of the mailware to connect to the IP block of an A record responds and controls with for the mailwares behavior command to control traffic masquerades as the legitimate Orion improvement program code hides in plain sight by using fake variable names and tying into legitimate components. That's just sending out data that even looks like SolarWinds Orion data. So if you did some traffic inspection, yeah, that's just some analytics data. Just like the other analytics data that came out of the same tool, the same program. This is really, wow. I mean, that's really interesting. Now, one thing I did dive into a little bit here, and this is a graph I created over at virus total. Leave a link to this as well. Here is the root node where we started with AVS M cloud. And what these are is things like relation to historical things such as who is over here. So here's the who is who is says this was actually registered in 2018 725. So we're talking July of 2018 is registration and each one of these represents registration updates, which include registration updates all the way to here. Now, if you look at the admin email for domains by proxy, it seems to indicate obviously they obscured everything. This isn't their email address. But from not mistaken, they create a unique one for each. So these are different times when things were changed and moved for this particular domain. So this takes a lot of careful planning. This is an attack that's going on for years with little grain to sand to build up to where we are today. And I'll leave a link to say I said you can go through and see some of the different IP addresses at point to historically, some of the different places. And if you're wondering, yes, it did happen to connect to Microsoft Corporation based on this. And I don't have the full history. This is something Microsoft has to answer. They probably moved it around between different servers. And there's no reason not to host something like this in one of those major cloud companies, because well, that's how you obscure it. It's going to normal places that you expect data to flow to, because lots of people run workloads inside of Azure. And it's creating different DNS entries. And that's what these are here is the different DNS entries that were created. My guess is each national you probably had to relation as far as from the threat actor standpoint to the different compromised places and the way they wanted to dig into information on that. Let's go back over to the write up. Now the delivering insulation was through an update. That's important because when it would pull this update, it would grab that file that one we talked about here, authorized systems ministry or fetch and install updates to SolarWinds Orion via packages issued by SolarWinds website, the update package core 2019, etc. And that's how they got on there. And then the initialization on execution of the malicious SolarWinds code. And then the sample only executes if the file system right time of the assembly is at least 12 of the 14 days old, like I said, just sits there for two weeks. Then we scroll down to the DGA, the block list, the command and control, the steganography. This is where things get obscure. Because this is where FireEye did a great job of listing this out. In observation traffic, these HTTP responses, bodies attempt to appear like benign XML related to the dotnet assemblies, but command data is actually spread across many GUID and hex strings present. Basically, they're sending regular data and then they're hiding a few things. This is the debrief of what they reverse engineered of what each of these do from the command and control server. So you're hiding a bunch of data and then, you know, dropping a little bit of commands back and forth in there. So it looks like completely benign things with a few extra and who has not looked at something in your XML data that goes, you know, there might be something extra in here. And I don't know, I understand this part of the XML, but I don't know the developer clearly had some other piece in here. And that's that other pieces turned out to be the command and control. And he break down some of the other pieces, acknowledgements, and those details. Now let's go over to Microsoft and I mentioned her right up. What did they actually go after? And this is where things got a little bit scary because they were using the SAML. And for those of you that don't know what SAML is really briefly, security, assertion, markup, language tokens, and XML representation of claims. It's a way to mint security and then build trust around that. So it takes high levels of privilege to do this. People of high level privilege run Orion. Therefore they mint a SAML and then they build these tokens and then set those expiration dates to people to have access to other things. This includes forging a token that claims to represent a highly privileged account in Azure AD. This is where things get really scary because it's not like they're just taking over local. They're also moving into any of the cloud workloads that these places have that have been compromised with Orion. So this is a really in-depth building long-term access and it gets a little bit harder because how are you going to know what happened? If you suddenly find a new user, you're like, oh, there's a new user. I wonder who did that? We start logging it but if we don't understand the source of that user, you could remove that user and then that user shows up again after some period of time or a new one and that becomes a really confusing part of the way this is done because if you didn't know the SolarWinds tool is compromised, you're not sure where that's happened. So there's all these little suspicious things and this is really a challenge to find this and this is why this was so hard to validate. And of course they have recommended defenses. They have an update. Same thing that you have for the write-ups and the same SolarWinds compromises are listed here on Microsoft that were listed over on FireEye. Now another thing I will point out which is right here and this was nine hours ago as I said time is of the essence. This is only one engine detecting it on virus total and let's refresh the page. Now we're at 22 engines detected as of right now at 9 45 a.m EST. So it is making the rounds, making the news, all the antivirus engines are getting updated very quickly to look for this, to find this. There's going to be tons of people digging through their logs. I know a few people that are SOC analysts as in security operation centers and these places keep massive amount of logs and are going to go and reverse looking through this and determine where all these things, did we have any look-ups in there, did we not know were we part of this compromise. It's a pretty big deal and it really shakes the heart of the IT industry when a product, the scale and scope of SolarWinds Orion that is used as I said at the beginning in many many companies gets compromised. So I plan to do more videos on this or at least tweet about it and more updates if we learn something new that is a value of information. But as I stated kind of a summary we don't know of any of the SolarWinds MSP tools that I use being compromised just the fact that SolarWinds at all had an issue of course gets my ears going going what? You know what let's dig into this. I feel pretty confident that they have a good team internally and that this was a such a high level actor. It's not like it was just some kid compromising. It seems very unlikely at this point right now especially at the layers that they did this of levels of obfuscation, how difficult this attack probably was to pull off and that they've done everything they can to really really make it hard to evade infection. Now exactly how they're discovered. Someone actually asked me that. I don't know that for certain right now. I think that'd be interesting but FireEye certainly has some really deep insight and it takes some really talented threat researchers and trust me the community. I've been talking with some of them sincerely this morning. People like Kyle who's a tweet I had shared over here. Kyle over at Hunter's Lab trust me all all the big names in security all of them are working together against this threat actor whoever they might be. The team's in full force and people way smarter than me are working and digging into this and tweeting it. So file Kyle file you know some of this hashtag numbers you'll find some more information. It's going to be interesting and thanks. I'll leave links to everything I talked about and thank you for making it to the end of the video. If you like this video please give it a thumbs up. If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free. Also if you like to help the channel out in other ways head over to our affiliate page. We have a lot of great tech offers for you and once again thanks for watching and see you next time.