At a glance.
- Chinese threat actor exploited SolarWinds vulnerability.
- Second-stage backdoor possibly linked to SolarWinds campaign.
- Responses to the impact of Holiday Bear's SolarWinds compromise.
- Dependency confusion updates.
Chinese threat actor exploited SolarWinds vulnerability.
Secureworks describes cyberespionage activity by a suspected Chinese actor dubbed "SPIRAL." The actor exploited a vulnerability (CVE-2020-10148) in SolarWinds' Orion product to deploy its SUPERNOVA web shell. The researchers say this activity is unrelated to the Russian-linked Solorigate campaign that also made use of SolarWinds' Orion.
The SUPERNOVA web shell is a Trojanized version of a legitimate Orion DLL. The threat actor first executed a reconnaissance script before deploying the web shell, then obtained credentials from Windows' Local Security Authority Subsystem Service (LSASS). After this, the actor "mapped network shares on two hosts: a domain controller and a server that could provide access to sensitive business information."
Secureworks believes the group is based in China because the actor (apparently inadvertently) exposed a Chinese IP address when it downloaded an installer:
"A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China. The naming convention of this host was the same as another host used by the threat actor to connect to the network via a VPN connection. This ‘<Username>-PC’ naming convention is the default hostname for a Windows 7 host, but it is not the victim’s standard naming convention for hosts. CTU analysis suggests the threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure. The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the SPIRAL threat group operates out of China."
Second-stage backdoor possibly linked to SolarWinds campaign.
FireEye has identified a second-stage backdoor dubbed "SUNSHUTTLE" that the security firm thinks may be linked to the threat actor they track as UNC2452. UNC2452 has been associated with the SolarWinds supply chain exploitation, but FireEye stresses that its researchers "have not fully verified" a connection with SUNSHUTTLE.
The backdoor was "uploaded by a U.S.-based entity to a public malware repository in August 2020," and the researchers say the malware was observed at an entity that had been compromised by UNC2452. The researchers summarize, "SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic 'blend in.'"
FireEye adds, "The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications. SUNSHUTTLE would function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools."
Microsoft (which tracks the Solorigate threat actor as "NOBELIUM") has published its own analysis of the backdoor, along with two other tools the company calls "GoldFinder" and "Sibot." The researchers say the malware was used from August to September 2020, though it may have been placed on systems in June 2020. Microsoft states, "These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions. These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence."
Responses to the impact of Holiday Bear's SolarWinds compromise.
DomainTools has conducted a survey of security professionals on the impacts of the SolarWinds breach, and found that 19% of respondents said their organizations "were directly impacted" by the campaign. Of these, 21% confirmed that they had actually been breached, while another 21% said an organization in their ecosystem had been breached.
47% of respondents said that due to the SolarWinds breach, they will now "require suppliers to follow our security standards and legally attest to that fact." Additionally, DomainTools found that, "Of existing relationships, slightly over forty percent are confident in their current vendor relationships and do not plan any active changes. This shows an understanding of the complexity of this event and that many feel the majority of security vendors are perfectly capable partners under most circumstances."
Dependency confusion updates.
Researchers at Sonatype say that bug-bounty hunters and others are uploading copycat packages to the npm repository following security researcher Alex Birsan's recent blog post on dependency confusion. Birsan found that many package managers, including npm, will default to installing publicly registered packages over private, custom-made ones, and Birsan successfully infiltrated many organizations by registering public packages with the same names as those used internally by the organizations. Birsan scored a number of bug bounties by demonstrating this vulnerability, and copycats have now registered over seven hundred packages attempting to replicate Birsan's success. While some of these copycats may only be after the bug bounties, Sonatype notes that many of the newly posted packages go too far to be considered ethical and some of them seem explicitly malicious:
"First of all, many of these have no disclaimers or code comments in place indicating these are linked to any kind of ethical bug bounty program, or created for security research purposes. While having such a disclaimer in place is no guarantee that a package’s author is working in good faith, lack thereof can surely raise alarm bells especially when combined with malicious code.
"Secondly, as soon as these packages are installed automatically because they share a name with an internal dependency (thereby exploiting “dependency confusion”), they exfiltrate the user’s .bash_history file and /etc/shadow, and in some cases spawn a reverse shell."