loader image

SolarWinds reported on December 13th, 2020 that hackers had exploited a zero-day vulnerability and were able to insert malware into a service that provided software updates for its Orion platform to SolarWinds customers. Security researchers have recently discovered a new malware, SuperNova, that aided in compromising the SolarWinds Orion software. SolarWinds software is widely used by many companies in the public and private sector. This data breach resulted in the compromise of the U.S. Departments of Treasury, Commerce, Homeland Security, and State. It also affected entities such as FireEye and Microsoft. SolarWinds stated that they believe 18,000 of their 300,000 customers were infected as a result of this data breach, making it one of the largest and most impactful cybersecurity breaches of 2020. Even into 2021, we are still finding out more details on the full extent of the data breach. The attacker is described as a sophisticated threat actor, likely backed by a nation-state. Some reports speculate that it is a group of Russian hackers known as Cozy Bear/APT29. So far this has not been confirmed and the Kremlin has denied the accusations. You can read more about the full extent of the data breach here.

The New SuperNova Malware and How It’s Used

The trojanized version of the SolarWinds update was named Sunburst. It was a digitally signed component of the Orion software framework that contained a backdoor that communicates over HTTP to third-party servers. Since it was coming from a trusted third-party provider and was digitally signed, it was installed by SolarWinds customers. In addition to having a backdoor, Sunburst also uses obfuscated blocklists to identify security and antivirus tools running as processes, services, and drivers.

The SuperNova malware was originally identified during the analysis of Sunburst and was assumed to be part of Sunburst. However, based on new analysis, the SuperNova malware is distinct from Sunburst and leverages a zero-day vulnerability to install a trojanized .net DLL. Unlike the Sunburst DLL, SuperNova is not digitally signed and this could have been a means for cyber analysts to identify it earlier on. The functionality is similar to Sunburst; the malware that is loaded is a web shell and acts as a backdoor providing persistent access to web servers. What makes this web shell difficult is that it is built to run in memory which makes it difficult to detect and for forensic analysts to find during post-breach activities. Many believe that the SuperNova malware may be the work of a completely different threat actor, which would mean that two threat actors were able to gain access via the same method. You can read a detailed breakdown of the malware here.

 

Sunburst Connection to the Kazuar Malware Family

Furthermore, Sunburst has been connected to the Kazuar malware family, Kazuar was a .net-based malware first discovered by Palo Alto back in 2017. Research published by Kaspersky discovered that several of the features in Sunburst overlap with Kazuar. Kaspersky’s analysis has revealed the following similarities between Sunburst and Kazuar:
  • Evidence suggests Sunburst and Kazuar were developed by the same threat group
  • The adversary behind Sunburst used Kazuar as an inspiration
  • The groups behind Kazuar (Turla) and Sunburst (UNC2452 or Dark Halo) obtained the malware from a single source
  • The developers of Kazuar moved to another team, taking their toolset with them, or
  • The Sunburst developers deliberately introduced these links as “false flag” to shift blame to another group
  • Both malware families used a sleeping algorithm to stay dormant for a random period between connections to the C2 server
  • The use of the FNV-1a hash to obfuscate the malicious code
You can read the details of the connections between Sunburst and Kazuar here.

Recommended Action

The Cybersecurity and Infrastructure Security Agency (CISA) has provided a regularly updated cybersecurity advisory on how to handle potential compromises associated with the SolarWinds outbreak, which can be found here. This advisory was released on December 17th and applies to government agencies, critical infrastructure, and private sector organizations. It provides regular updates on the investigation, mitigation guidance, indicators of compromise, and more. You can find some supplementary information on the CISA’s offerings here.

 

Conclusion

The effects of the SolarWinds breach have been extensive. Symantec, who also analyzed the attack, identified the trojanized software updates on over 2,000 computers at more than 100 customers. Fortunately, one killswitch has been identified and activated for one of the pieces of malware used by the threat actors as part of their attack. It has been found that the IP address that Sunburst communicates with resolves to the domain avsmcloud.com. A quote from a FireEye spokesperson to Security Week had this to say: “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.” You can read more about this killswitch here.

 

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.