Home
Threat Intelligence Posts
Vulnerability Intelligence

UNC2452 Threat Actor Group Threat Intel Advisory

CloudSEK threat intelligence advisory on UNC2452 compromised a module in the SolarWinds Orion IT monitoring and management system.
Updated on
April 19, 2023
Published on
December 16, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
 Adversarial Intelligence
Threat Actor
 UNC2452 [campaign tracker]
Vector
 Supply Chain
Vendor
 SolarWinds
A sophisticated threat actor dubbed UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management System. They planted a backdoor [Sunburst] specifically in DynamicLinkedLibrary named SolarWinds.Orion.Core.BusinessLayer.dll, loaded by following .NET executables [based on system configuration]:
  • SolarWinds.BusinessLayerHost.exe
  • SolarWinds.BusinessLayerHostx64.exe.
This new campaign uses a “memory-only” dropper named TEARDROP to deploy a modified Cobalt Strike Beacon onto the victim for command and control (C2). The trojanized component is available for download as a part of the following legitimate update: hxxp://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

Command & Control (C2)

C2 communications are safely embedded as part of SolarWinds communication protocol called Orion Improvement Program Protocol, to evade security and as part of operational security. The domain used for C2 is avsvmcloud.com A Domain Generation Algorithm is used to construct and resolve the subdomain of avsvmcloud.com The malware kills security and forensic services running on the target system, using a block list. The block list contains a list of services linked to AV/EDR/XDR vendors and other forensics related tools.  The payload connects to the C2 server after connection to the domain api.solarwinds.com is established. The subdomains are linked together with one of the following domains to create hostname to resolve:
  • .appsync-api.eu-west-1[.]avsvmcloud[.]com
  • .appsync-api.us-west-2[.]avsvmcloud[.]com
  • .appsync-api.us-east-1[.]avsvmcloud[.]com
  • .appsync-api.us-east-2[.]avsvmcloud[.]com

MITRE Techniques & Tactics

Technique
Tactics
Resource Development T1584 Compromise Infrastructure
Initial Access T1195.002 Compromise Software Supply Chain
Execution T1569.002 Service Execution
Persistence/Privilege Escalation T1543.003 Windows Service
Defense Evasion T1027 Obfuscated Files or Information
T1070.004 File Deletion
T1553.002 Code Signing
Discovery T1012 Query Registry
T1057 Process Discovery
T1083 File and Directory Discovery
T1518 Software Discovery
T1518.001 Security Software Discovery
Command and Control T1071.001 Web Protocols
T1071.004 Application Layer Protocol: DNS
T1105 Ingress Tool Transfer
T1132.001 Standard Encoding
T1568.002 Domain Generation Algorithms
 

Impact

Technical Impact
  • Renders security systems useless
  • Compromise network domain
  • Fully undetectable persistence on the victim 
Business Impact 
  • Compromises user data and privacy
  • Loss of reputation and goodwill
  • Loss of share value
  • Compliance violations and fine
  • Legal actions from the clients

Indicators of Compromise

Hashes/ SHA256
  • d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
  • 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 
  • C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
IP
  • 13.59.205.66 
  • 54.193.127.66 
  • 54.215.192.52 
  • 34.203.203.23 
  • 139.99.115.204 
  • 5.252.177.25
  • 5.252.177.21
  • 204.188.205.176
  • 51.89.125.18
  • 167.114.213.199

Mitigation

  • Contain/ isolate SolarWinds servers for further investigation
  • Restrict internet egress from servers or endpoints that are SolarWinds servers
  • Supervision of privileged account on SolarWind servers
  • Effective rules for detection are provided in the link below:
https://github.com/fireeye/sunburst_countermeasures
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more