DHS Emergency Directive 21-01 - Sunburst - SolarWinds thread

I’m starting this thread to track discussion of the US DHS Emergency Direction 21-01. Please try to keep discussion in this topic.

US Department of Homeland Security has identified an intrusion that appears related to the SolarWinds Orion product. Actions to take include shutting down SolarWinds devices, then scanning for several known Indicators of Compromise.

https://cyber.dhs.gov/ed/21-01/

Initial BETA IoC lists:

Method 1

https://bigfix.me/relevance/details/3023027 - check for netsetupsvc.dll

Relevance to retrieve more details on detected files:
https://bigfix.me/relevance/details/3023028

The three above are pure Relevance. They can be queried using the BigFix Query app in BigFix WebUI, added as Properties, run in the Fixlet Debugger; but are not appropriate for direct export/import to the Console.
https://bigfix.me/analysis/details/2998622 is an Analysis containing the three properties of Method 1 that can be directly imported to into the Console.

Method 2

Alternate method: Full-disk scan for the files and retrieve the scan result via analysis
https://bigfix.me/fixlet/details/26725 - Scan Task
https://bigfix.me/analysis/details/2998618 - Analysis to retrieve results

(Analysis was just updated to include paths, size, modification time, version, md5, and sha1 of detected files)

Microsoft has also published guidance on this with additional compromised sha1 hashes and paths for the SolarWinds.Orion.Core.BusinessLayer.dll file. The Full-Disk Scan should find these files, and the additional hashes have been added to version 1.1 of the Analysis.
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

The Full-Disk analysis just updated with additional known-bad sha256 hashes, 2020-12-14 14:45 CST, v1.2

2020-12-16 12:21 pm CST: Updated the “Method 1” Analysis to also attempt retrieving SolarWinds Orion installation path from Add/Remove Programs registry keys, and to report installation details if SolarWinds Orion is found in the Registry.
2020-12-16 13:21 CST: Updated https://bigfix.me/analysis/details/2998624 to retrieve “unique values” for the file details. The same file could be reported twice if installed in a default installation path (found in both the “assumed paths to check” and the “installation path from registry”)

2020-12-17 10:20 CST - Updated https://bigfix.me/analysis/details/2998625 to correct a false-negative due to redirected 32-bit file paths.

2020-12-17 12:00 CST - Updated https://bigfix.me/analysis/details/2998625 to correct an issue with older BigFix clients lacking the ‘locked line of file’ inspector, and to remove three erroneous hashes as pointed out by @sbl.

2020-12-21 10:21 AM CST - A separate vulnerability SolarWinds has been identified, dubbed ‘SuperNova’. MSRC has also updated list of sha256 hashes for Sunburst vulnerability. Method 1 Analysis, and Method 2 Task and Analysis have been updated at BigFix.me

Related:

• https://cyber.dhs.gov/ed/21-01/
• https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• https://www.solarwinds.com/certadvisory
• https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015
• https://github.com/fireeye/sunburst_countermeasures
• https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015
• MS-ISAC Advisory 2020-166
• CVE-2020-14005
• CVE-2020-13169
• https://unit42.paloaltonetworks.com/solarstorm-supernova/

Anyone cooking up an analysis for IOC files and hashes?

The first IoC seems to be a specific file and MD5 hash:

Scanning the entire drive with the BigFix agent is expensive, but scanning a strategic subset has good value vs cost.

Suggest using BigFix Query with this relevance

https://bigfix.me/relevance/details/3023026

Updated relevance again to include other known hashes.
Updated relevance to remove hashes that are not associated with the DLL. (Thanks @sbl)

exists find folders "SolarWinds" whose (exists file "Orion\SolarWinds.Orion.Core.BusinessLayer.dll" whose (sha256 of it is contained by set of("019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134"; "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"; "a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc"; "ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c"; "c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77"; "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"; "d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af"; "dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b"; "eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed") OR md5 of it = "b91ce2fa41029f6955bff20079468448") of it) of ((folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED")))

and if you get a True, you might look further with this one:
https://bigfix.me/relevance/details/3023028

q: (pathname of it, version of it as string| "no version", sha1 of it|"NoSHA1", sha256 of it|"NoSHA256", md5 of it|"NoMD5") of files "Orion\SolarWinds.Orion.Core.BusinessLayer.dll" of find folders "SolarWinds" of (( folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED")))
A: D:\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll, 2019.4.5200.9083, 76640508b1e7759e548771a5359eaed353bf1eec, 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, b91ce2fa41029f6955bff20079468448
T: 14.685 ms
I: plural ( string, string, string, string, string )

This assumes that a system administrator typically would pick the default (c:\program files (x86)) or would pick a folder right off the root of another drive.

x:\Program Files\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
x:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
x:\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll

Initial post updated with links to BigFix.me

if (x64 of operating system) then (exists files "netsetupsvc.dll" of folders "syswow64" of windows folders) else false

Do you have any 32-bit windows to test with? My thought is that ‘system wow64 folders’ should be empty on those, so we’d get back a False on the statement. Is that not the case?

I get errors on 32bit systems. I think the system wow64 folders inspector chokes there.

Thanks! Will update.

Note - in testing on my Windows 2016 server box, Windows Defender detects the file as malware as soon as I copy it in.

image1009×780 84 KB

Actually, my errors may have been due to incorrect types. This seems to be error free:

if (x64 of operating system) then (exists files "netsetupsvc.dll" of system wow64 folders) else false

Just updated the full-scan Task and Analysis at bigfix.me.
Fixed capitalization in titles for “SolarWinds”.
Add file path, size, modification time, version, md5, and sha1 hashes to the Analysis results.

Microsoft has published additional guidance at https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ . Looking in to it now.

https://bigfix.me/analysis/details/2998620 has been updated with the additional hashes provided by Microsoft Security Research Center

Just updated https://bigfix.me/analysis/details/2998621 with additional known-bad hashes.

Now that the activity on this seems to be slowing down, it’s probably worth a bit of discussion on what we’ve put in BigFix.me and why there are two distinct methods (so far).

From the top post in the thread, we have

The two Fixlets are checks for the affected DLL files, in the paths where we expect they probably reside. The compromised netsetupsvc.dll, if it exists, would be in \Windows\syswow64. That’s a static path and easy to check. The SolarWinds.Orion.Core.BusinessLayer.dll file, however, would be in the installation directory of SolarWinds, which can be customized at installation time. We made a stab at several different paths, including the “Program Files” and “Program Files (x86)” folders on all drive letters, as well as the “SolarWinds” folder on all drive letters.
If you have SolarWinds installed in one of those paths, this detection should be sufficient. However it does not scan through any other directory structures, as that kind of full-system scan is very expensive to do in Relevance.

To handle cases where SolarWinds might be installed in a non-default path we don’t anticipate, one can run the “Alternate Method” probe -

The “Alternate Method” is in two parts. First, there’s a Task that must be run on the system. The action of this task scans all fixed hard drives, searching for the ‘SolarWinds.Orion.Core.BusinessLayer.dll’ file in all drive paths, as well as the ‘netsetupsvc.dll’ file at \Windows\SysWOW64. The scan runs in its own batch file from the CMD shell, so it’s not throttled by the BigFix client’s CPU throttle and retrieves the list of files much more quickly than a native relevance statement like ‘descendants of folders()’. The file list is saved to an output file that is parsed by the Analysis.

The accompanying Analysis identifies the file paths found by the scan, compares the “SolarWinds.Orion.Core.BusinessLayer.dll” to a list of known-bad hash values, and if one of those bad hashes matches, the file details are presented by the Analysis. The details include file path, size, modification time, version, and the md5, sha1, and sha256 hashes of the file.

The second method is more likely to find affected components when they are installed in non-default paths, but have the overhead of requiring an Action to be taken before results can be presented.
For both detections, the list of known-bad hash values have been updated at least three times today as more information has been revealed, and may update a few more times yet. For the second method, so far these changes have required updating the Analysis, but have not required re-executing the probe task.

Whether a detection is found, US Government customers have specific directions to follow per the DHS bulletin, or may have guidance from their own Agency (I have no insight into that, but the DHS bulletin specifically says things like disconnect the machine, not wipe it, for forensic analysis).

For private companies, you should check with your Security, Leadership, and Legal teams to determine how to proceed. Depending upon your sector there may still be Industry- or Regulatory-required steps to take.

From all accounts, the presence of an affected SolarWinds may just be one link in a much longer exploit chain, and just upgrading or rebuilding the system is probably not helpful in determining what other data was accessed or what other changes were made.

It’s a very good time to make sure your incident response plans are up to date. Contacting your local FBI Field Office or equivalent law enforcement in your country of business may be appropriate. For US customers, the following document on “What and when to report” may be helpful - https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view

I hope that the content we’ve posted to BigFix.me today has been helpful. I’ve stayed on the technical side of detection today, and I’m not yet a party on any discussions as to whether BigFix will publish official content for this outside of what we’ve uploaded to BigFix.me, so I’m afraid I have nothing to say on that (I’ve had a few people ask so I wanted to get ahead of that question).

Thanks for the creating the analysis and list of hashes.

I crossed reference your hash list with the 2 websites and these ones are not listed in either sites, can you provide the sources for these:

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv

38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e

I checked them against VT and there were not detections on them either. Thanks in advance.

We had several of us working on the content yesterday, I should be able to get a clarification on which source these came from tomorrow.

I did a cursory check a few minutes ago and these three may not be valid for the check we are doing. Those three specifically are the hashes to the MSI installer that provide some of the compromised versions of SolarWinds.Orion.Core.BusinessLayer.dll, and are worth detection, but as our content is limited to finding the DLL, we won’t find alert on these MSI packages anyway.

Hey All…may be just me, but having an issue importing some of these into my console. Getting the following:

@sbl The extra hashes are actually for the MSI installer and not the DLL.
I will update both of my relevance statements from yesterday.