Атака на цепочку поставок SolarWinds Orion: C2, смягчение последствий и рекомендации экспертов

Руководство по проблеме солнечного ветра см. DHS , SolarWinds , FireEYE , MSRC , and Microsoft

Опытные пользователи, см. FireEYE Countermeasures Repo по этому вопросу.

У SANS есть хорошее видео на эту тему here

Исполняемые файлы: #

Рассматриваемая DLLSolarWinds.Orion.Core.BusinessLayer.dll and was signed as a ligitimate part of the SolarWinds suite, bypassing application control technologies. It is installed as a service.

The malicious code was injected into a legitimate DLL and is loaded into memory when the application runs. The code runs before the legitimate code. According to Microsoft, the code is activated when SolarWinds.BusinessLayerHost.exe executable runs, but may the following may also load it:

• ConfigurationWizard.exe
• NetflowDatabaseMaintenance.exe
• NetFlowService.exe
• SolarWinds.Administration.exe
• SolarWinds.BusinessLayerHost.exe
• SolarWinds.Collector.Service.exe
• SolarwindsDiagnostics.exe

Network information: #

General Ranges:

• DNS CNAMEs for C2:
  • .appsync-api.eu-west-1[.]avsvmcloud[.]com
  • .appsync-api.us-west-2[.]avsvmcloud[.]com
  • .appsync-api.us-east-1[.]avsvmcloud[.]com
  • .appsync-api.us-east-2[.]avsvmcloud[.]com
• IP Ranges for C2:
  • 20.140.0.0/15
  • 96.31.172.0/24
  • 131.228.12.0/22
  • 144.86.226.0/24

Specifically Identified:

• DNS Names associated with C2:
  • 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com
  • 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com
  • gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com
  • ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com
  • k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com
  • mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com
• IPs assosciated with C2:
  • 13.59.205.66
  • 54.193.127.66
  • 54.215.192.52
  • 34.203.203.23
  • 139.99.115.204
  • 5.252.177.25
  • 5.252.177.21
  • 204.188.205.176
  • 51.89.125.18
  • 167.114.213.199

DLL Locations : #

• C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\Solarwinds\Network Topology Mapper\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\Solarwinds\Network Topology Mapper\Service\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\DPI\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\NCM\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\Interfaces.Discovery\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\DPA\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\HardwareHealth\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\Interfaces\SolarWinds.Orion.Core.BusinessLayer.dl
• C:\Program Files (x86)\SolarWinds\Orion\NetFlowTrafficAnalysis\SolarWinds.Orion.Core.BusinessLayer.dll
• C:\Program Files (x86)\SolarWinds\Orion\NPM\SolarWinds.Orion.Core.BusinessLayer.dll

## Microsoft Malicious DLL Table: - See the GitHub Repository for more info

## FireEYE Indicator Table: - See the GitHub Repository for more info

## Sites Known to Be Hit By SunBurst/SolarFlare:

• https://github.com/RedDrip7/SunBurst_DGA_Decode
• https://pastebin.com/raw/6NukuxBN