On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distribute a malware named SUNBURST, and then used this foothold in the organization to contact their Command & Control (C&C) infrastructure, move laterally using different legitimate credentials, and steal data from the network.
Not long after the attack, it was uncovered that this was a global campaign that affected both private and public high-value entities in North America, Europe, Asia, and the Middle East, including the US Treasury and Commerce departments, along with other US government agencies. The overall attack has been nicknamed “Solorigate” by Microsoft.
SolarWinds Orion software is quite popular, as it is estimated that 425 of US Fortune 500 companies use SolarWinds software to monitor their networks. Although not all versions of the SolarWinds Orion product are affected (only the versions released between March and May 2020), 18,000 of its more than 300,000 customers may have installed a software patch enabling the attack. It is still too early to know how many systems were actually hacked.
Fortunately, there is already a hotfix released in order to patch the affected systems. Network admins in every company need to quickly identify these servers, isolate them from network, and patch them. Perhaps you work on a team that has purposefully built solutions by combining different tools to manage and secure your infrastructure. Defense in depth, anyone? Have you ever installed a “free trial” on a device or spun up a virtual machine (VM) for quick testing and then forgotten about it? Or did a previous network administrator ever deploy a server without really documenting or letting leaders know it exists in the network? You cannot patch what you don't know exists in your network.
For further research, you can consult the following article:
Cisco® Secure Network Analytics (formerly Stealthwatch) and its software-as-a-service (SaaS) version, Secure Cloud Analytics (formerly Stealthwatch Cloud) can help you uncover rogue or forgotten servers in your network that, if left unmonitored, could leave an open doorway for attackers. SolarWinds Orion servers, like many Network Management Stations (NMS), monitor the health and performance of the network in real time, using a combination of tools and protocols. The most common approach is to do SNMP polling from the NMS to all infrastructure devices in your network. It is typical to see SNMP notification from these infrastructure devices sent to the NMS servers. It’s this behavior that we are going to target when looking for them on the network.
In Secure Network Analytics, perform a Top Host search with the following parameters:
Search Type: Top Host
Time Range: Last 30 Days
Subject Host Groups: Inside Hosts
Advanced Options Order By: Flows
Connection Port/Protocol: 161/udp; 162/udp
You will now see a report with all the servers that have been using SNMP during the last 30 days. Focus on the “Host bytes ratio” column. Hosts with 0% indicate clients are trying to reach them, but the devices are not answering (they could have been decommissioned already). For the other servers, investigate all of them, as they are potential SolarWinds Orion servers in your network.
Figure 1. Secure Network Analytics Top Hosts Search that uncovers top SNMP servers in your network.
In Secure Cloud Analytics, you can look for the following indicators on your network, related to SolarWinds Orion servers:
Once you have identified the mentioned alert or observation, you can investigate all the servers related to them, as they are potentially SolarWinds Orion servers.
Figure 2. Secure Cloud Analytics "New SNMP Sweep" alert can warn of the presence of SolarWinds Orion servers. It's enabled by default.
If you were able to find any compromised servers in the network using the above methods, it’s imperative that you patch them with the designated hotfix. After that, the next logical step is to assess if any malicious or suspicious activity has already been taking place in your network. There are a variety of common patterns that have been spotted in SUNBURST variants. If you were monitoring your network with Secure Network Analytics or Secure Cloud Analytics before the attack started, there should have been some signs of suspicious activity that would have surfaced in the form of alerts.
Both products are capable of detecting a range of suspicious activities that are commonly seen in an advanced cyber attack with the purpose of stealing data, such as C&C connections, lateral movement, and data exfiltration. As a result, you will be able to detect other global campaigns, even before they make it to the news, and the IoCs are shared.
These are the alerts you should pay special attention to, in relation to the SolarWinds Orion compromise. You can search for them in your deployment in the last few months:
In your portal, review your alert priorities page to ensure you have the desired alerts enabled and appropriately prioritized. The alerts and observations below can help you identify a variety of tactics used by advanced attackers during this campaign.
Now that you have searched for and identified potentially compromised servers and had a look at detections that alert on malicious behavior in the network that might be associated with the attack, you can go ahead and define a set of actions that will further protect your organization, and also allow for automated response.
Additional actions in Secure Network Analytics:
After you have both host groups defined and all the relevant servers classified in one of those two groups, you can create a Custom Security Event (CSE) in order to alert on any traffic from your SolarWinds Orion servers that is not going to your already defined legitimate peers. Additionally, you can define an Identity Services Engine (ISE) Adaptive Network Control (ANC) policy in order to quarantine servers that are communicating with peers who are not allowed.
Figure 3. Adaptive Network Control (ANC) policies allow you to automatically quarantine SolarWinds servers that are communicating with nonlegitimate servers.
In this article, we have identified how to look for compromised SolarWinds Orion servers that might be installed in the network but not documented. We have also reviewed which signs of compromise in the form of alerts you can look for in both Secure Network Analytics and Secure Cloud Analytics as well as ways of responding to this threat and proactively protecting your network further, in the event of other cyber attacks.