SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation

Microsoft’s report provides details of the entire SolarWinds attack chain with a deep dive in the second-stage activation of malware and tools.

Microsoft published a new report that includes additional details of the SolarWinds supply chain attack. The new analysis shad lights on the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.

The attackers focused on separate these two components of the attack chain as much as possible to evade detection.

The report provides details regarding the Solorigate second-stage activation that allowed the attacker to deliver Cobalt Strike loaders, such as Teardrop, and Raindrop.

The known information on the attacks confirms that the Solorigate DLL backdoor was compiled at the end of February 2020 and distributed to the potential victims in late March.  Then attackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.

Considering that the Solorigate backdoor was designed to stay dormant for at least two weeks, the analysis of the timeline suggests that attackers spent approximately a month selecting the victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. This means that the “hands-on-keyboard activity” likely started as early as May.

“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).” states the report published by Microsoft.

Microsoft experts analyzed forensic data across the entire environment of impacted organizations to discover how the attackers made lateral movements and how long they remaining within their target networks.

The experts conducted a deep analysis of data collected by Microsoft 365 Defender data and Microsoft Defender telemetry.

While investigating the attack, Microsoft identified several second-stage malware and tools, including TEARDROP, Raindrop, and also other custom loaders for the Cobalt Strike beacon.

“TEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are likely generated using custom Artifact Kit templates.” continues the report. “Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading a DLL into a process memory without using the Windows loader.”

Microsoft added that additional attacker tactics, anti-forensic behavior, and operational security allowed them to avoid detection and outstand for operations security (OpSec) best practices.

Below a list of some examples of why threat actors stand out for their professional OpSec methodology and anti-forensic behavior:

Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:

• Methodic avoidance of shared indicators for each compromised host. Attackers prepared a unique Cobalt Strike DLL implant for each machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched.
• Camouflage and blending into the environment. Attackers always renamed tools and binaries they used (e.g., ADFIND legit tool) and placed them in folders that mimicked existing programs and files already present on a machine.
• Disabling event logging using AUDITPOL and re-enabling it afterward.
• To avoid noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries) being detected, the attackers created special firewall rules to minimize outgoing packets for certain protocols. Then the attackers methodically removed the rules after the reconnaissance was completed.
• Lateral movement activities were never executed without preparation.
• Attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

“As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.” concludes Microsoft.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]