2. About
ZY Wu
• Threat analysts at Fox-IT intel team
• Malware analysis & threat intel
• Find me at zong-yu.wu@fox-it.com
CK Chen
• HITCON Member
• HITCON 2021 Review Board Chairman
• Researcher, focus on malware analysis, APT investigation and threat intel
3. Agenda
• What happened?
• Define the supply chain attack
• Impact Assessment – Finding the targets
• How special it is?
4. Kudos to
Danny at Fox-IT
YJ at TrendMicro
Anonymous Hamster at Exercise wheel
5.
6. CrowdStrike
release SUNSPOT
investigation
report
2021.01.11
2021.01.13
CISA: bypass MFA
in cloud services
FireEye released
Remediation for
Microsoft 365
2021.01.19
2021.01.19
MalwareBytes
claim to be
hacked
Microsoft
Deep dive into
the Solorigate
second-stage
activation
2021.01.22
2021.02.18
Microsoft Internal
Solorigate
Investigation – Final
Update
Microsoft,
FireEye New
SUNSHUTTLE
Backdoor
Targeting U.S.-
Based Entity
2021.03.04
FireEye
hacked, Red
team tools
leaked
2020.12.09
2020.12.13
CISA issued
emergence
directive
WSJ, REUTERS
U.S. Treasury
and Commerce
departments
Hacked
2020.12.13-14
2020.12.15-18
Second
malware
Supernova
discovered
Microsoft,
FireEye,
GoDaddy
establish
killswitch
2020.12.17
2020.12.17
Microsoft
report
potential
victims
Microsoft
confirmed
source code
stolen
2020.12.31
2021.01.05
CISA, DNI,
NSA suspect
the actor is
Russia-based
Department
of Justice
confirmed
hacked
2021.01.06
7.
8. AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
9. Advantage of exploiting Supply Chain
• Abuse the trust between supplier and targets
• It is possible to find a weaker supplier among those
• Compromising a whole range of companies if the major supplier in a sector is
taken
10. Attack Against Code Dev.
Commit
->
Build (Signing)
->
Test
->
Deploy
Commit ->
SUNSPOT injects SUNBURST ->
Build (Signing)
->
Test (SUNBURST stay low)
->
Deploy
->
SUNBURST’s party time
11. Impact Assessment
• More likely espionage purpose, but this is tough to do impact assessment.
• In this presentation, I invite you to take a journey with me to picture targeted
industry.
12. Malwares on the Desk
SUNSPOT
(injector)
SUNBURST
(Beacon)
TEARDROP
(Loader)
RAINDROP
(Loader)
GoldMax
Inside SolarWinds
Running at Victims’ Env.
SiBot
GoldFinder
CobaltStrike
13. SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
15. Malware stays low under these AD
domains:
It checks antivirus driver/process/service
and analysis tool as well.
https://github.com/fireeye/sunburst_countermeasures/blob/mai
n/hashcat.potfile
swdev.local saas.swi
emea.sales dmz.local
pci.local lab.local
apac.lab dev.local
swdev.dmz lab.rio
cork.lab lab.brno
lab.na test
Solarwinds
SUNBURST was coded like a
legitimate class, for example:
Encode Process
Name in fact
Mimicking the
legitimate traffic on
the Platform
16. SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
• The callback domain is generated by victim information on DNS protocol.
• Stage 1 – on DNS to get the HTTP sever
• Stage 2 – on HTTP for the backdoor
17. • There are up to 4 different types (2 encoding x 2 input), giving an example:
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
SUNBURST Callback Protocol
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
-> The AD domain can be retrieved by a DNS query!
-> Reverse Engineering to decode
18. SUNBURST Callback Protocol
• DNS traffic, for those are not running on SSL, is not encrypted
• It is possible to gather the domains which were been queried at a certain time
by listening the network traffic from the internet backbone.
• This dataset is called Passive DNS record.
20. Searching the victims (in PASSIVE mode)
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
Prefix Fixed Random C&C
15
Encoded GUID
06a4ea63c80ee24a us Add up to scc.state.va.us
DGA Encoding method for PASSIVE state
23. Searching the targets (in ACTIVE mode)
9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
8 3 else
GUID Meta Running Antivirus
06a4ea63c80ee24a mode=1
active=1
timestamp=2020-05-31 12:00:00
The GUID is mapped to
scc.state.va.us
DGA Encoding method for ASSOCIATED/ACTIVE state
24. Searching the targets (in ACTIVE mode)
scc.state.va.us
central.pima.gov
mgt.srb.europa
fc.gov
ddsn.gov
phpds.org
central.pima.gov
Government
HQ.FIDELLA
lagnr.chevronte
xaco.net
coxnet.cox.com
Energy
ng.ds.army.mil
nsanet.local
Defense
corp.qualys.com
paloaltonetworks.com
logitech.local
wctc.msft
ggsg-us.cisco.com
cisco.com
fox.local
Tech/CyberSecurity
25. AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on &
Afraid of
Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
26. Software
Supply Chain
While better defense mechanism is
deployed, threat actor move their target
to the weakest point of supply chain
More complicated software -> more
complicated supply chain
We talk a lot about supply chain, so…
What’s the supply chain of you daily used software?
34. APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
ASUS Shadow
Hammer(2019)
Discovered by Kaspersky
ASUS Web Storage(2019)
We discover this operation in the
same time as ESET
35. APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
SolarWinds Supply Chain
Attack (2021)
36. Highlight TTPs
• Supply Chain Attack: Large number of enterprises are potential
victims
• Compromise DevOps: Keep Stealthy in Develop Environment
• Sophiscated Malware: Separate the Malware’s Execution Path
• Attacking the Cloud Service
37. Attacking the Cloud Service
• Lateral movement from on-premises networks to gain unauthorized
access to the victim’s Microsoft 365 environment
• Golden SAML Attack
• Modify Trusted Domains
• Hijack Azure AD Applications
• Compromise the credentials of
on-premises user accounts
that are synchronized to
Microsoft 365
38. Mitigation
• Threat Hunting for Malicious IoCs
• FireEye’s Red Team Tool IoCs
• SunBurst IoCs
• CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical
Infrastructure, and Private Sector Organizations”
• Summary about the IoCs
• https://shorturl.at/fxKTV
39. Mitigation
• Mandiant Azure AD Investigator
• https://github.com/fireeye/Mandiant-Azure-AD-Investigator
• CISA “Strengthening Security Configurations to Defend Against
Attackers Targeting Cloud Services”
• https://github.com/cisagov/Sparrow
40. Lesson Learned
• While being compromised is hard to avoid, proactive threat hunting and
response to the incident.
• Communicate and share with security community
• Sophiscated APT attacks
• Supply Chain Attack
• Compromised DepOp Process
• Laverage cloud service attacks
• Supply chain security will still be the loophole for enterprises’ security
• Using threat intelligence, e.g. PDNS, to help us understand threat actor’s
targets
• Cloud Services become a new attack vector for LM