The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybersecurity community continues to investigate the attack. HYAS has performed our own research, collected data leveraging our unique sources, and we wanted to share some unique insights that add to the industry’s understanding of this attack. This blog delves into the infrastructure used by SunBurst to compromise targets and points out another network monitoring solution that may have been compromised.
SunBurst leverages a domain generation algorithm (DGA) style of command and control (C2) domain structure, where the child label (the third part of the domain, as in childlabel.domain.com) is generated by the SunBurst binary encoding the local Active Directory domain. According to this Microsoft security blog, the backdoor will not run unless it detects it is on a local domain. Local domains typically exist only in corporate networks. It seems clear that SunBurst is designed to specifically infect corporate networks specifically.
Once SunBurst validates the presence of a local domain and generated its fully qualified domain name (FQDN) with the encoded local domain, it will begin to query for it.
For example, one of the domains observed in the wild via passive DNS monitoring for this attack is:
Using the @RedDrip7 SunBurst DGA Decode utility, the child label decodes to = “seattle.interna”. While there are a number of possible Seattle corporate networks, we hope it isn’t the Seattle-Tacoma International Airport (Sea-Tac).
Another observed victim string:
This string decodes to = “orsennanms.loca”
This string seems to relate to this French network monitoring services company Orsenna. Orsenna makes a very popular software plugin for a SolarWinds competitor Ipswitch (now owned by Progress Software) and their product “WhatsUp”.
Based on the behaviour we have observed from this adversary thus far, while it is not yet conclusive, we would advise that customers of the Ipswitch WhatsUp product with the Orsenna plugin should check their networks closely. This issue could affect many additional networks who may have thought they were safe by virtue of not using SolarWinds products. HYAS has attempted to notify both Orsenna and Ipswitch of this potential infection, and suggested that they perform their own internal investigations.
SunBurst is designed to interpret the DNS answers it receives from the threat actor as various first stage commands. Depending on the IP ranges given as A Record responses, Sunburst will perform actions from process enumeration to local network data gathering.
According to Hornet Security, when the threat actor desires to directly access the compromised system, the actor will present a CNAME versus an A Record to the selected victim. This tells the backdoor to lookup another domain to obtain an IP address to connect to and turn over remote access.
One example of this behaviour is was observed in passive DNS at 2020-06-20 02:54:06 Zulu:
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com. IN CNAME thedoccloud.com
The CNAME domain (thedoccloud.com) in use here appears to belong to a busy domain buyer who has purchased hundreds of domains in the last year. Many of the domains are pro-Trump/MAGA/anti-FakeNews, and as much as the domain names seem to be “on brand” for Russian threat actors. We believe, however, that in this case, these domains are not directly connected to the adversary. Instead, we suspect that the threat actor compromised this user’s account with the registrar and used one of their domains in this attack. It is also possible the actor has compromised the registrar; however, we see no overt evidence of that.
HYAS continues to analyze and investigate the data that has been shared with us. We want to recognize the passive DNS data from Zetalytics and Farsight Security that helped in analyzing the child label encoded strings. We intend to report on any related malicious infrastructure as we research and validate the information.