Shulou(Shulou.com)05/31 Report--

Today, I will give you an example analysis of the security risk of APT attacks in the SolarWinds supply chain. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

Background

Top US security company FireEye (Chinese name: fire Eye) released a report on Dec. 13 that it had discovered a global intrusion and named the group UNC2452. By invading SolarWinds, the APT organization implants malicious code into the SolarWinds Orion commercial software update package and distributes it, which FireEye calls SUNBURST malware. The backdoor includes the ability to transfer files, execute files, analyze the system, restart the machine and disable system services, thus achieving horizontal movement and data theft.

SolarWinds Orion Platform is a powerful and scalable infrastructure monitoring and management platform that simplifies IT management in local, hybrid, and software-as-a-service (SaaS) environments in the form of a single interface. The platform can provide real-time monitoring and analysis of network equipment, and support customized web pages, a variety of user opinions and map browsing of the whole network.

Overview of events

On December 13th, FireEye disclosed a supply chain attack that Trojanized SolarWinds Orion business software updates, in which SolarWinds.Orion.Core.BusinessLayer.dll, the SolarWinds digital signature component of the Orion software framework, was plugged into a backdoor that communicates with third-party servers via HTTP. According to FireEye, the attack may have occurred as early as the spring of 2020 and is currently in a state of ongoing attack. From March 2020 to May 2020, the attacker digitally signed several Trojan updates and posted them to the SolarWinds update website, including hxxps://downloads.solarwinds [.] com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp. FireEye has disclosed the characteristics and detection rules of the backdoor on GitHub at the following address:

Https://github.com/fireeye/sunburst_countermeasures

The file implanted into the Trojan is the SolarWinds.Orion.Core.BusinessLayer.dll component, a standard Windows installer patch file. Once the update package is installed, the malicious DLL will be loaded by a legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration) program.

SolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds signature plug-in component of the Orion software framework, in which the SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer class implements the backdoor that communicates with the third-party server through HTTP, transfers and executes files, analyzes the system, and disables system services. The network transport protocol of the backdoor is disguised as legitimate SolarWinds activities to evade detection by security tools.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by solarwind and uses a certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The document was signed on March 24, 2020.

Scope of influence

2019.4 HF 5

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.