General IT

SolarWinds Sunburst Detection and Response to Indicators of Compromise

This post will be brief and to the point, but I wanted to share some resources that I found helpful when learning how to respond to this incident.

Table of Contents:

  • FireEye’s Blog
  • FireEye’s Detection Opportunities
  • FireEye’s Github Resources
  • Sophos Github Resources
  • Implementing Detection and Firewall Rules

FireEye’s Blog

Reviewing FireEye’s blog post on this topic is critical to understanding the behavior of the threat actors.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Key Takeaways for Response:

Detection Opportunity

“The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders — querying internet-wide scan data sources for an organization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note: IP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment. There is likely to be a single account per IP address.”

Detection Opportunity

“This also presents some detection opportunities, as geolocating IP addresses used for remote access may show an impossible rate of travel if a compromised account is being used by the legitimate user and the attacker from disparate IP addresses. The attacker used multiple IP addresses per VPS provider, so once a malicious login from an unusual ASN is identified, looking at all logins from that ASN can help detect additional malicious activity. This can be done alongside baselining and normalization of ASN’s used for legitimate remote access to help identify suspicious activity.”

Detection Opportunity

“Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. This will uncover any single system authenticating to multiple systems with multiple accounts, a relatively uncommon occurrence during normal business operations.”

Detection Opportunity

“Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time. Additionally, defenders can monitor existing scheduled tasks for temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be monitored to watch for legitimate Windows tasks executing new or unknown binaries.”

Leverage their GitHub Page

FireEye has released some awesome SIEM rules that you can implement to detect IoC’s.
https://github.com/fireeye/sunburst_countermeasures


Sophos Indicators of Compromise

Sophos has also compiled a Github repo that contains a list of known bad hashes, IP addresses, and domains.
https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv

Using the information above, I would recommend implementing the following:

  • Configure firewall egress rules that block outbound connections to the known bad IP addresses and domain names.

General Blog, General IT, Windows Updates/Patches

Patching CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

As I’m sure you’ve heard, there were a handful of critical vulnerabilities announced in this week’s Patch Tuesday. Included in the list of vulnerabilities is a flaw within CryptoAPI that would allow an attacker to digitally sign malicious software updates as the legitimate creator of the software. While Microsoft lists this vulnerability with a severity level of Critical, an attacker would need to first insert themselves as a Man in The Middle to be able to intercept a device’s software update request and return back a digitally signed malicious executable.

Table of Contents
– Affected Operating Systems
– KB’s Needed to Patch Vulnerability

If you have the time, I’d highly recommend the below Webcast on this topic from the SANS Institute’s YouTube page. It goes above any beyond any level of detail I would be able to.


Affected Operating Systems

  • Windows 10
  • Windows Server 2016
  • Windows Server 2019

Note: Windows 7 and older are NOT vulnerable. The Windows Update Service itself is NOT vulnerable.


Patching CVE-2020-0601

Microsoft’s official documentation on this topic can be found at the below link. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

The exact patch that you need depends on the exact OS Build of Windows 10 you’re running. Below is a list of the related KBs and which Operating System they patch. This list is current as of this blog’s posted date.

I recommend searching for your Build of Windows 10 by using Ctrl+F and typing the version (I.E 1909, 1903, etc.)


ArticleKB4528760
Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4528760
Operating System(s)Windows Server, version 1903 (Server Core installation)
 Windows Server, version 1909 (Server Core installation)
 Windows 10 Version 1903 for 32-bit Systems
 Windows 10 Version 1903 for ARM64-based Systems
 Windows 10 Version 1903 for x64-based Systems
 Windows 10 Version 1909 for 32-bit Systems
 Windows 10 Version 1909 for ARM64-based Systems
 Windows 10 Version 1909 for x64-based Systems

ArticleKB4534273
Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534273
Operating System(s)Windows Server 2019
 Windows Server 2019 (Server Core installation)
 Windows 10 Version 1809 for 32-bit Systems
 Windows 10 Version 1809 for ARM64-based Systems
 Windows 10 Version 1809 for x64-based Systems

ArticleKB4534293 
Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534293
Operating System(s)Windows Server 2016, version 1803 (Server Core Installation)
 Windows 10 Version 1803 for 32-bit Systems
 Windows 10 Version 1803 for ARM64-based Systems
 Windows 10 Version 1803 for x64-based Systems

ArticleKB4534276 
Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534276
Operating System(s)Windows 10 Version 1709 for 32-bit Systems
 Windows 10 Version 1709 for ARM64-based Systems
 Windows 10 Version 1709 for x64-based Systems

ArticleKB4534271 
Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534271
Affected O/SWindows Server 2016
 Windows Server 2016 (Server Core installation)
 Windows 10 Version 1607 for 32-bit Systems
 Windows 10 Version 1607 for x64-based Systems