Advisory |
Adversarial Intelligence |
Threat Actor |
UNC2452 [campaign tracker] |
Vector |
Supply Chain |
Vendor |
SolarWinds |
- SolarWinds.BusinessLayerHost.exe
- SolarWinds.BusinessLayerHostx64.exe.
Command & Control (C2)
C2 communications are safely embedded as part of SolarWinds communication protocol called Orion Improvement Program Protocol, to evade security and as part of operational security. The domain used for C2 is avsvmcloud.com A Domain Generation Algorithm is used to construct and resolve the subdomain of avsvmcloud.com The malware kills security and forensic services running on the target system, using a block list. The block list contains a list of services linked to AV/EDR/XDR vendors and other forensics related tools. The payload connects to the C2 server after connection to the domain api.solarwinds.com is established. The subdomains are linked together with one of the following domains to create hostname to resolve:- .appsync-api.eu-west-1[.]avsvmcloud[.]com
- .appsync-api.us-west-2[.]avsvmcloud[.]com
- .appsync-api.us-east-1[.]avsvmcloud[.]com
- .appsync-api.us-east-2[.]avsvmcloud[.]com
MITRE Techniques & Tactics
Technique |
Tactics |
|
| Resource Development | T1584 | Compromise Infrastructure |
| Initial Access | T1195.002 | Compromise Software Supply Chain |
| Execution | T1569.002 | Service Execution |
| Persistence/Privilege Escalation | T1543.003 | Windows Service |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1070.004 | File Deletion | |
| T1553.002 | Code Signing | |
| Discovery | T1012 | Query Registry |
| T1057 | Process Discovery | |
| T1083 | File and Directory Discovery | |
| T1518 | Software Discovery | |
| T1518.001 | Security Software Discovery | |
| Command and Control | T1071.001 | Web Protocols |
| T1071.004 | Application Layer Protocol: DNS | |
| T1105 | Ingress Tool Transfer | |
| T1132.001 | Standard Encoding | |
| T1568.002 | Domain Generation Algorithms | |
Impact
Technical Impact
- Renders security systems useless
- Compromise network domain
- Fully undetectable persistence on the victim
Business Impact
- Compromises user data and privacy
- Loss of reputation and goodwill
- Loss of share value
- Compliance violations and fine
- Legal actions from the clients
Indicators of Compromise
Hashes/ SHA256
- d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
- 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
- C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
IP
- 13.59.205.66
- 54.193.127.66
- 54.215.192.52
- 34.203.203.23
- 139.99.115.204
- 5.252.177.25
- 5.252.177.21
- 204.188.205.176
- 51.89.125.18
- 167.114.213.199
Mitigation
- Contain/ isolate SolarWinds servers for further investigation
- Restrict internet egress from servers or endpoints that are SolarWinds servers
- Supervision of privileged account on SolarWind servers
- Effective rules for detection are provided in the link below: