Security news that informs and inspires

Stopping SolarWinds Backdoor with a Killswitch


Security company FireEye has identified a killswitch that would stop the Sunburst malware from executing in infected networks.

Security operations teams investigating for signs that nation-state attackers had deployed the Sunburst malware into their networks using the SolarWinds' Orion network monitoring technology can use the killswitch to detect and mitigate the threat. However, if the attackers had already deployed other backdoors or mechanism to maintain persistence, they remain a threat in the network.

Defenders have been scrambling ever since news broke that nation-state attackers had compromised network monitoring company SolarWinds, added malicious code to a DLL file used by the Orion network monitoring technology, and pushed out the tampered file to SolarWinds customers via the auto-update mechanism. FireEye discovered the malicious DLL file—named Sunburst by FireEye and Solarigate by Microsoft—while investigating a breach of its own network.

Just having the malicious DLL alone does not mean the network has been compromised, SolarWinds said.

Sunburst connects to a command-and-control server at a subdomain avsvmcloud to receive "jobs," or commands, to execute, FireEye said in its analysis, which was released as part of a coordinated disclosure with Microsoft and SolarWinds. A first-stage Trojan, Sunburst drops additional payloads into the network to allow attackers to elevate privileges, move laterally through the network, and steal information. Under the right conditions, it would be possible to force the malware to terminate itself, FireEye said.

"Depending on the IP address returned when the malware resolves avsvmcloud dot com under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections," FireEye said. FireEye identified about a dozen IP address ranges, and if an IP address fell within any of those ranges, the malware would stop execution.

Killswitch Mechanism

The domain now resolves to an IP address owned by Microsoft and the current domain name registrar is GoDaddy, said Brian Krebs, of KrebsofSecurity. GoDaddy appears to have created a wildcard DNS resolution so that all subdomains resolve to the Microsoft-owned IP address, BleepingComputer reported. By taking over the subdomain, Microsoft, GoDaddy, and FireEye ensure that all malicious traffic is captured. The malware won't be able to receive any malicious commands, and the traffic data can be analyzed to identify victims.

Any infected machine trying to connect to the C&C server on the domain will be redirected to a Microsoft-owned server and not the actual malicious server. Since the Microsoft-owned IP address fell within one of the IP address ranges, the malware would terminate and prevent itself from executing again. While the infected machine would remain infected, it will no longer be at risk of the malware trying to execute commands or download any other payloads.

Microsoft has collaborated with other companies to create sinkholes to disrupt botnets in the past. The 2017 WannaCry ransomware outbreak was eventually stopped by registering a domain the ransomware relied on to divert malicious traffic. It seems likely that the attackers had put the Microsoft's IP address block in the malware's block list to prevent Microsoft's security operations and research teams from finding and analyzing the malware.

The killswitch is effective against new and previous Sunburst deployments that may be still beaming to the subdomain, FireEye said. If the attacker had already used Sunburst to deploy other backdoors, then it didn't matter if the malware couldn't get any more jobs from the C&C server. That is a likely scenario since FireEye said the threat actor "moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."

Even though the killswitch would not remove the threat actor from the network, it could make it harder for the attack group to use Sunburst, FireEye said.

Victims Around the World

SolarWinds said a preliminary investigation suggested attackers had compromised its build system. For most organizations, this kind of a compromise would be difficult to detect, since very few of organizations verify the tool being used when compiling code and building applications. The organization's software development process may check that code is being modified by authorized parties and that it is properly signed using the organization's key. However, most organizations don't check the build system (unless they are using hermetic build systems, which verifies where the build tools came from and what changes have been made to it before building software), so it becomes even less likely that malware would be detected in this kind of a scenario.

The malware has infected the networks of several federal agencies, including the United States Treasury, the US National Telecommunications and Information Administration, and the Department of Homeland Security. SolarWinds has thousands of customers in both the public and private sectors--a list which includes most federal agencies, all five branches of the military, almost all Fortune 500 companies, and thousands of managed services providers--but the magnitude of the attack is unknown at this time. Perhaps the attackers were interested in any and all organizations that could access, or they may have been targeting a very specific list of victims.

Just having the malicious DLL alone does not mean the network has been compromised, SolarWinds said.

Chinese cybersecurity firm RedDrip Team said it had identified nearly a hundred suspected victims, including universities, governments, and high-tech companies, using its decoder tool.

SolarWinds has not yet disclosed how the attacker gained access to its system to insert malware into the company's software update process. Researchers at Intel471 said they had seen Russian-language actors trying to sell access to SolarWinds up to three years ago. The seller had “allegedly attempted to work his way deeper into the SolarWinds network and eventually to the source code of its products,” Intel471 said.

FireEye has released indicators of compromise and other data to help security teams check their networks for signs they were also compromised. Other security vendors, including Microsoft, have added signatures for the malicious DLL file to their malware detection tools. SolarWinds has also released a hotfix and other updates that would address the issue in all impacted versions of the technology.