Technical Deep Dive Into SolarWinds Breach

Many organizations have been compromised by the recent SolarWinds breach, which seems to be a targeted attack against both government and private agencies. The complete scale of this attack is still unknown, but what is known is that the hackers gained access to victims’ systems via malicious SolarWinds Orion updates which were then downloaded by thousands of users.

Attackers were able to gain access to the SolarWinds software development and delivery pipeline, which allowed them to add their malicious code into one of the SolarWinds Orion platform drivers named SolarWinds.Orion.BusinessLayer.dll. Due to this supply chain attack, the infected dll was digitally signed which helped the malware remain unnoticed for a long time, allowing the adversary to make a massive impact.

Technical Analysis

The compromised binary is a .Net Assembly which contains many legitimate namespaces, classes, and methods of the Orion framework. This allowed the code to blend in with legitimate code. The malicious code is part of the OrionImprovementBusinessLayer class which is executed by creating a thread to avoid interrupting the regular flow of the dll. The code to create thread was part of RefreshInternal method, which is an infected method of the dll.

Anti-Analysis

For keeping the hardcoded values in the file like the list of processes, services, etc., the malware used a variant of the FNV-1a hashing algorithm by XORing the computed hash of the string with a hardcoded value at the end.

Other than keeping hardcoded values in hashed form, the malware has used DEFLATE compression to keep strings like WMI queries, registry entries and tokens.

At the start of the malicious code execution, malware authors have added many checks to make sure the code is running in the right environment:

  • Name of the process is solarwinds.businesslayerhost.exe
  • The dll is written at least 12 to 14 days (288 to 336 hours) earlier on the disk
  • Checks that the domain name of the system is valid with the following checks:
    • Should not contain certain strings whose hashes are kept in the file
    • Should not match with the regex (?i)([^a-z]|^)(test)([^a-z]|$) or (?i)(solarwinds)
  • It also checks for running processes, drivers, and services against list of processes, services and drivers kept in hashed form in the file. This looks related to checking security software is present or not on the system.

If any listed service is found on the system, the malware tries to disable the service by manipulating the service registries under HKLM\SYSTEM\CurrentControlSet\Services. It first finds a new owner by enumerating users list obtained by querying “Select * From Win32_UserAccount”. It checks if the user account is local and the SID starts with S-1-5 and ends with -500 to make sure it is a local administrator account.

After finding the account, the malware makes the discovered account as the owner of the registries which needed to be modified, by granting itself SeRestorePrivilege and SeTakeOwnershipPrivilege privileges.

For fetching installed drivers, it uses Select * from Win32_SystemDriver WMI query.

Domain Generation Algorithm (DGA)

The core activity of the malware is of an HTTP backdoor where it communicates with its C&C server and get commands to execute. For getting the C&C server details, it resolves a unique FQDN with following structure:

{subdomain}.domain3.domain2.domain1
domain3 = [eu-west-1, us-west-2, us-east-1, us-east-2]
domain2 = appsync-api
domain1 = avsvmcloud.com

The malware implements a domain generation algorithm to generate a unique subdomain each time. DGA uses the 8-byte user id generated for the system, and the domain name of the system to generate the subdomain.

One of the inputs to the DGA, a user id for the system is generated using following data collected from the system:

  • Physical address of the network interface
  • Domain name of the system
  • MachineGuid registry value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

It concatenates above three values, calculates the MD5 of the concatenated string and then custom XOR it to get the user id.

As part of the DGA, it encodes the domain of the system with a substitution table “rq3gsalt6u1iyfzop572d49bnx8cvmkewhj” and random numbers.

After encoding the domain name, the malware generates a string using the user id, random numbers, and substitution table “ph2eifo3n5utg1j8d94qrvbmk0sal76c”.

Then, it concatenates the encoded user id with encoded domain name to produce the subdomain. This makes the subdomain and FQDN domain for each malware instance different.

C2 Communication

The malware checks the generated FQDN domain is resolved to get details in the IPAddress structure. It checks if the resolved Hostname is the same as the queried hostname, then checks for the address family for the resolved IP based on a list of IPs and masks hardcoded in the code. If it is different, then the resolved Hostname is used as the C2 host name for the backdoor.

As part of C2 communication, attackers have tried to mimic SolarWinds communication method by using JSON format for the HTTP communication. Following is the code for creating JSON format:

The JSON format:

{ "userId": , "sessionID": , "steps": { { "Timestamp": "", "Index":, "EventType": "Orion", "EventName": "EventManager", "DurationMs":, "Succeeded":true, "Message": "" } }
}

The HTTP backdoor sends the json data to C2 server and if the communication is successful, the server responds with an encoded command which is parsed by the backdoor using regex “{[0-9a-f-]{36}}”|”[0-9a-f]{32}”|”[0-9a-f]{16}”.

The following are the list of decoded commands which is hardcoded in the code.

From the list, it is clearly capable of collecting system information, playing with the registry, dropping another file on the disk, and running it.

We can explore a few of the commands supported: The CollectSystemDescription command is used to collect information like domain name, username, OS version and network configuration details.

As part of getting network configuration details, the malware uses select * From Win32_NetworkAdapterConfiguration where IPEnabled=true WMI Query and then parses following fields:

Description
MACAddress
DHCPEnabled
DHCPServer
DNSHostName
DNSDomainSuffixSearchOrder
DNSServerSearchOrder
IPAddress
IPSubnet
DefaultIPGateway

For getting OS details, it uses Select * From Win32_OperatingSystem WMI Query.

From the code we can see that it can drop a second stage malware and execute it.

Conclusion

In the end, we can conclude that the techniques which the attackers have used in this breach are very sophisticated: Supply Chain Compromise, Data Encoding, Impair Defenses and Dynamic Resolution to name few. Instead of doing major damage to the infected system, the attackers have focused on staying unnoticed from security products. In the coming days, we can expect to see widespread use of similar attacks.

Customers can use Qualys EDR and VMDR platforms to assess and remediate the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, and FireEye Red Team tools, and to track their remediation via dynamic dashboards.