~18,000 organizations downloaded backdoor planted by Cozy Bear hackers | Ars Technica Skip to main content Biz & IT Tech Science Policy Cars Gaming & Culture Store Forums Subscribe Close Navigate Store Subscribe Videos Features Reviews RSS Feeds Mobile Site About Ars Staff Directory Contact Us Advertise with Ars Reprints Filter by topic Biz & IT Tech Science Policy Cars Gaming & Culture Store Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up IN-THE-WILD — ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers Russia-backed hackers use supply chain attack to infect public and private organizations. Dan Goodin - Dec 14, 2020 8:26 pm UTC Enlarge Getty Images reader comments 121 with 64 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit About 18,000 organizations around the world downloaded network management tools that contained a backdoor that a nation state used to install malware in organizations the used the software, the tools provider, SolarWinds, said on Monday. The disclosure from Austin, Texas-based SolarWinds, came a day after the US government revealed a major security breach hitting federal agencies and private companies. The US Departments of Treasury, Commerce, and Homeland Security departments were among the federal agencies on the receiving end of hacks that gave access to email and other sensitive resources, Reuters reported. Federal agencies using the software were instructed on Sunday to disconnect systems that run the software and perform a forensic analysis of their networks. Further Reading Premiere security firm FireEye says it was breached by nation-state hackers Security firm FireEye, which last week disclosed a serious breach of its own network, said that hackers backed by a nation-state compromised a SolarWinds software update mechanism and then used it to infect selected customers who installed a backdoored version of the company’s Orion network management tool. The backdoor infected customers who installed an update from March to June of this year, SolarWinds said in a document filed on Monday with the Securities and Exchange Commission. The implant “was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products,” Monday's filing said. SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000. Stealing the master keys Several factors made Orion an ideal stepping stone into networks coveted by Russia-backed hackers, who over the past decade have become one of the most formidable threats to US cyber security. Mike Chapple, a teaching professor of IT, Analytics, and Operations at the University of Notre Dame, said the tool is widely used to manage routers, switches, and other network devices inside large organizations. The level of privileged access coupled with the number of networks exposed made Orion the perfect tool for the hackers to exploit. “SolarWinds by its nature has very privileged access to other parts of your infrastructure,” Chapple, a former computer scientist at the National Security Agency, said in an interview. “You can think of SolarWinds as having the master keys to your network, and if you’re able to compromise that type of tool, you’re able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.” Advertisement Further Reading Russian hackers hit US government using widespread supply chain attack The hacks are part of what the federal government and officials from FireEye, Microsoft, and other private companies said was a widespread espionage campaign that a sophisticated threat actor was carrying out through a supply chain attack. In blog post FireEye published Sunday night, the company said it uncovered a global intrusion campaign that used the backdoored SolarWinds’ update mechanism as an initial entryway “into the networks of public and private organizations through the software supply chain.” Publications—including The Washington Post and The New York Times—cited unnamed government officials saying Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service (FSB) was behind the compromises. “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations,” FireEye officials wrote. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.” In a separate post also published Sunday night, FireEye added: “FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.” FireEye went on to say that a digitally signed component of the Orion framework contained a backdoor that communicates with hacker-controlled servers. The backdoor, planted in the Windows dynamic link library file SolarWinds.Orion.Core.BusinessLayer.dll, was written to remain stealthy, both by remaining dormant for a couple weeks and then blending in with legitimate SolarWinds data traffic. FireEye researchers wrote: The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page. Burrowing in further The Orion backdoor, which FireEye is calling Sunburst and Microsoft calls Solorigate, gave the hackers the limited but crucial access to internal network devices. The hackers then used other techniques to burrow further. According to Microsoft, the hackers then stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers. Advertisement Microsoft’s advisory stated: An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory. An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts. Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization. Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application. Supply chain attacks are among the hardest to counter because they rely on software that's already trusted and widely distributed. SolarWinds' Monday-morning filing suggests that Cozy Bear hackers had the ability to infect the networks about 18,000 of the company’s customers. It’s not yet clear how many of those eligible users were actually hacked. The Department of Homeland Security’s Cybersecurity Infrastructure and Infrastructure Security Agency has issued an emergency directive instructing federal agencies that use SolarWinds products to analyze their networks for signs of compromise. FireEye’s post here lists a variety of signatures and other indicators admins can use to detect infections. Promoted Comments 50me12 Ars Tribunus Militum jump to post uberDoward wrote: So... No integrity checks for the updates, hmm? Seems like a sha2 hash check would have alerted this sooner... Comes from the internet? It's not trusted until verified. Are we sure it wasn't something ... internal? Maybe I missed it but in the articles I've read so far it's not 100% clear to me if this was someone with the keys injecting their own updates from rando internet ... or if the bad code came ... from Solarwinds traditional update processes... (whole ton of new questions then). 2524 posts | registered 9/3/2012 MisterGrumps Ars Scholae Palatinae et Subscriptor jump to post I received this today at 12:09 am eastern: Quote: We have just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 through 2020.2.1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed incident, as opposed to a broad, system-wide attack. At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central. If you own a SolarWinds Orion product, we recommend you visit http://www.solarwinds.com/securityadvisory for more detailed information. If you have any immediate questions, please contact Customer Support at 1-866-530-8040 or swisupport@solarwinds.com. Security and trust in our software are the foundation of our commitment to our customers. Thank you for your continued patience and partnership as we continue to work through this issue. Thank you, John Pagliuca | President | SolarWinds MSP 832 posts | registered 3/11/2010 reader comments 121 with 64 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica ← Previous story Next story → Related Stories Sponsored Stories Powered by Today on Ars Store Subscribe About Us RSS Feeds View Mobile Site Contact Us Staff Advertise with us Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2021 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices