Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

US CISA released an advisory on current activity in which it is explained that a threat actor is actively exploiting SolarWinds platforms to access networks and systems. Noteworthy, US DHS released the Emergency Directive 21-1 requiring US Federal Agencies to take immediate steps to identify the instances of SolarWinds products running on federal networks. Furthermor determine whether they are among the known vulnerable versions, and to mitigate the SolarWinds vulnerability and its potential for compromise.

The journalist Brian Krebs further specified that many US agencies, including the Pentagon, the NSA and the US Dept of Treasury, as well as more than 425 of the top US fortune 500 companies are among the victims.

The vulnerable versions, 2019.4 HF 5 to 2020.2.1 HF 1, released between March and June 2020, includes a file that contains a backdoor called SUNBURST. This trojan communicates with its C2 servers over HTTP.

Currently and until SolarWinds deploys a fix, the only known way to prevent further compromise is to disconnect the affected devices.

 


Listen to Bloomberg Radio Interview: “Hackers ‘Unfairly’ Turned to Commercial Targets”

Ondrej Krehel, Founder and CEO of LIFARS LLC, a leader in cybersecurity services, discusses the massive SolarWinds hack, and how to be vigilant.

Ondrej Krehel, Founder and CEO of cybersecurity service company LIFARS LLC, discusses the massive SolarWinds hack, and how to be vigilant


 

As a network management system often has extended access to the networks and systems, the exploitation of the SolarWinds products poses critical risk to affected organizations and requires emergency action. The first step is to determine whether the system or systems with a SolarWinds product are affected. This document provides a brief guidance on how to check whether the SolarWinds system is among the affected version, and if so, to determine whether any exploitation occurred.

 

Ethical hacking and exploitation is a core expertise of our penetration testers and our red team members.

 
 

Check Your System or Systems for SolarWinds vulnerability

STEP 0: AFFECTED VERSIONS

The affected versions are SolarWinds 2019.4 HF 5 to 2020.2.1 HF1, released between March 2020 and June 2020.

To check which version is installed on your server, SolarWinds provided the following instructions.

 

DETERMINE THE INSTALLED VERSION FROM THE ORION WEB CONSOLE

All product versions are displayed in the footer of the Orion Web Console login page.

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

 

DETERMINE THE INSTALLED VERSION FROM THE SERVER CONTROL PANEL

  1. The product versions are also displayed in your system’s Control Panel.
  2. Open the Control Panel, go to Programs > Programs and Features.

Scroll down to SolarWinds. The number of entries will vary depending on how many products are installed.

The products and versions are listed as below:

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

Some versions may include information about any hotfixes installed.

 

STEP 1: CHECK FILES AND HASHES

The presence of any of the following files indicates that a trojanized version of SolarWinds is installed.

1.

File Name: SolarWinds.Orion.Core.BusinessLayer.dll

File Hash (MD5): b91ce2fa41029f6955bff20079468448

2.

File Path and Name: C:\WINDOWS\SysWOW64\netsetupsvc.dll

 

SEARCH FOR FILE – COMMAND LINE

Run “cmd.exe” as an administrator. Type:

cd \

dir SolarWinds.Orion.Core.BusinessLayer.dll /s

dir netsetupsvc.dll /s

This latter is suspicious if it is present in the directory “C:\WINDOWS\SysWOW64\”.

 

SEARCH FOR A FILE – GUI

To find a file on a disk, quickest solution is to use “Search… ” bar from Start menu.

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

Note that in the example, a file was found in its standard location (C:\Windows\System32), not in the one used by the threat actor, C:\WINDOWS\SysWOW64.

Alternatively, open Windows Explorer and in the “Search…” field, type “filename:”

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

In the dialog box, click “This PC” on the left to make sure the search is performed on all drives and folders, or repeat the search on every drive attached to the system.

Guide To Check For Sunburst Vulnerability in SolarWinds And Whether It Was Exploited

 

GET FILE HASH

In case that the file “SolarWinds.Orion.Core.BusinessLayer.dll” is present on the system,calculate its hash. Run PowerShell and execute following commands:

Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm MD5

Get-FileHash -Path [path-to-the-file]\SolarWinds.Orion.Core.BusinessLayer.dll -Algorithm SHA256

If these files are present and their hash matches a value published, the SolarWinds instance is part of the versions known to have the Trojan file.

 

ADDITIONAL FILES

FireEye identified additional files related to the attack. The hashes are provided in the Table below.

SHA256MD5FILENAMEMalware
Family
Role
d0d626deb3f
9484e649294
a8dfa814c55
68f846d5aa0
2d4cdad5d04
1a29d5600
02af7cec58b
9a5da1c542b
5a32151ba1
CORE-2019.4.5220
.20574-
SolarWinds-Core-
v2019.4.5220-
Hotfix5.msp
SUNBURSTInstaller
53f8dfc6516
9ccda021b72
a62e0c22a4d
b7c4077f002
fa742717d41
b3c40f2c7
08e35543d61
10ed11fdf55
8bb093d401
“Solarwinds Worl
dwide, LLC “
Code Signing
Certificate,
Legitimate
SolarWinds
code-signing
certificate
019085a76ba
7126fff2277
0d71bd901c3
25fc68ac55a
a743327984e
89f4b0134
2c4a910a129
9cdae2a4e55
988a2f102e
SolarWinds.Orion
.Core.BusinessLa
yer.dll
SUNBURSTbackdoor
ce77d116a07
4dab7a22a0f
d4f2c1ab475
f16eec42e1d
ed3c0b0aa82
11fe858d6
846e27a652a
5e1bfbd0ddd
38a16dc865
SolarWinds.Orion
.Core.BusinessLa
yer.dll
SUNBURSTbackdoor
32519b85c0b
422e4656de6
e6c41878e95
fd95026267d
aab4215ee59
c107d6c77
b91ce2fa410
29f6955bff2
0079468448
SolarWinds.Orion
.Core.BusinessLa
yer.dll
SUNBURSTbackdoor
292327e5c94
afa352cc5a0
2ca273df543
f2020d0e763
68ff96c84f4
e90778712
4f2eb62fa52
9c0283b28d0
5ddd311fae
OrionImprovement
BusinessLayer.2.
cs
SUNBURSTDecompiled
and
corrected
source code
for
SUNBURST
c15abaf51e7
8ca56c03765
22d699c9782
17bf041a3bd
3c71d09193e
fa5717c71
56ceb6d0011
d87b6e4d702
3d7ef85676
app_web_logoimag
ehandler.ashx.b6
031896.dll
SUPERNOVAWebshell

 

CHECK FOR NETWORK IOCS

If a network monitoring solution (NMS) is present or similar logs exist, the following DNS and IP indicators may be used to perform a threat hunt. Any of these observed likely indicates that the network has been compromised.

Associated
Malware
DNS
Record
Type
FQDNIPTargetFirst SeenLast Seen
SUNBURSTCNAME6a57jk2ba1d9keg15cbg.appsync-
api.eu-west-1.avsvmcloud[.]com
freescanonline
[.]com
2020-06-13
09:20:41
2020-06-13
09:20:41
SUNBURSTCNAME7sbvaemscs0mc925tb99.appsync
-api.us-west-2.avsvmcloud[.]com
deftsecurity
[.]com
2020-06-11
22:37:33
2020-06-11
22:37:33
SUNBURSTCNAMEgq1h856599gqh538acqn.appsync
-api.us-west-2.avsvmcloud[.]com
freescanonline
[.]com
2020-06-13
08:48:40
2020-06-13
08:48:41
SUNBURSTCNAMEihvpgv9psvq02ffo77et.appsync-
api.us-east-2.avsvmcloud[.]com
thedoccloud
[.]com
2020-06-20
02:54:06
2020-06-20
02:54:06
SUNBURSTCNAMEk5kcubuassl3alrf7gm3.appsync-
api.eu-west-1.avsvmcloud[.]com
thedoccloud
[.]com
2020-07-22
17:15:57
2020-07-22
17:15:58
SUNBURSTCNAMEmhdosoksaccf9sni9icp.appsync-
api.eu-west-1.avsvmcloud[.]com
thedoccloud
[.]com
2020-07-23
18:43:00
2020-07-23
18:43:00
SUNBURSTAdeftsecurity[.]com13.59.205.662020-02-14
03:47:49
2020-12-13
19:28:44
SUNBURSTAfreescanonline[.]com54.193.127.662020-02-11
11:00:04
2020-12-13
19:25:56
SUNBURSTAthedoccloud[.]com54.215.192.522020-02-09
20:03:38
2020-12-10
03:24:23
SUNBURSTAwebsitetheme[.]com34.203.203.232020-02-04
16:27:45
2020-06-25
23:58:55
SUNBURSTAhighdatabase[.]com139.99.115.2042019-12-28
00:07:06
2020-12-06
03:51:20
BEACONAincomeupdate[.]com5.252.177.2510/4/19
17:57
10/1/20
18:45
Adatabasegalore[.]com5.252.177.213/12/20
10:49
12/13/20
21:23
Apanhardware[.]com204.188.205.1763/11/20
15:32
12/13/20
21:23
Azupertech[.]com51.89.125.185/14/20
3:09
12/13/20
21:31
Azupertech[.]com167.114.213.1998/18/16
13:06
11/12/17
16:23

 

References

US CISA advisory

US DHS Emergency Directive 21-1

Brian Krebs: U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

Determine which version of a SolarWinds Orion product you have installed

FireEye Mandiant SunBurst Countermeasures

Indicator_Release_NBIs.csv