US CISA released an advisory on current activity in which it is explained that a threat actor is actively exploiting SolarWinds platforms to access networks and systems. Noteworthy, US DHS released the Emergency Directive 21-1 requiring US Federal Agencies to take immediate steps to identify the instances of SolarWinds products running on federal networks. Furthermor determine whether they are among the known vulnerable versions, and to mitigate the SolarWinds vulnerability and its potential for compromise.
The journalist Brian Krebs further specified that many US agencies, including the Pentagon, the NSA and the US Dept of Treasury, as well as more than 425 of the top US fortune 500 companies are among the victims.
The vulnerable versions, 2019.4 HF 5 to 2020.2.1 HF 1, released between March and June 2020, includes a file that contains a backdoor called SUNBURST. This trojan communicates with its C2 servers over HTTP.
Currently and until SolarWinds deploys a fix, the only known way to prevent further compromise is to disconnect the affected devices.
As a network management system often has extended access to the networks and systems, the exploitation of the SolarWinds products poses critical risk to affected organizations and requires emergency action. The first step is to determine whether the system or systems with a SolarWinds product are affected. This document provides a brief guidance on how to check whether the SolarWinds system is among the affected version, and if so, to determine whether any exploitation occurred.
Check Your System or Systems for SolarWinds vulnerability
STEP 0: AFFECTED VERSIONS
The affected versions are SolarWinds 2019.4 HF 5 to 2020.2.1 HF1, released between March 2020 and June 2020.
To check which version is installed on your server, SolarWinds provided the following instructions.
DETERMINE THE INSTALLED VERSION FROM THE ORION WEB CONSOLE
All product versions are displayed in the footer of the Orion Web Console login page.
DETERMINE THE INSTALLED VERSION FROM THE SERVER CONTROL PANEL
- The product versions are also displayed in your system’s Control Panel.
- Open the Control Panel, go to Programs > Programs and Features.
Scroll down to SolarWinds. The number of entries will vary depending on how many products are installed.
The products and versions are listed as below:
Some versions may include information about any hotfixes installed.
STEP 1: CHECK FILES AND HASHES
The presence of any of the following files indicates that a trojanized version of SolarWinds is installed.
File Name: SolarWinds.Orion.Core.BusinessLayer.dll
File Hash (MD5): b91ce2fa41029f6955bff20079468448
File Path and Name: C:\WINDOWS\SysWOW64\netsetupsvc.dll
SEARCH FOR FILE – COMMAND LINE
Run “cmd.exe” as an administrator. Type:
cd \ dir SolarWinds.Orion.Core.BusinessLayer.dll /s dir netsetupsvc.dll /s
This latter is suspicious if it is present in the directory “C:\WINDOWS\SysWOW64\”.
SEARCH FOR A FILE – GUI
To find a file on a disk, quickest solution is to use “Search… ” bar from Start menu.
Note that in the example, a file was found in its standard location (C:\Windows\System32), not in the one used by the threat actor, C:\WINDOWS\SysWOW64.
Alternatively, open Windows Explorer and in the “Search…” field, type “filename:”
In the dialog box, click “This PC” on the left to make sure the search is performed on all drives and folders, or repeat the search on every drive attached to the system.
GET FILE HASH
In case that the file “SolarWinds.Orion.Core.BusinessLayer.dll” is present on the system,calculate its hash. Run PowerShell and execute following commands:
Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm MD5 Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm SHA256
If these files are present and their hash matches a value published, the SolarWinds instance is part of the versions known to have the Trojan file.
FireEye identified additional files related to the attack. The hashes are provided in the Table below.
dwide, LLC “
CHECK FOR NETWORK IOCS
If a network monitoring solution (NMS) is present or similar logs exist, the following DNS and IP indicators may be used to perform a threat hunt. Any of these observed likely indicates that the network has been compromised.
|FQDN||IP||Target||First Seen||Last Seen|