Microsoft today shared details on how the SolarWinds hackers could go unnoticed by hiding their malicious activities in the networks of hacked companies.
This previously unknown information was released by security experts among the Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC).
The report they released earlier today shares new details regarding the activation of the second phase of Solorigate – the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after deploying the Solorigate (Sunburst) has dropped DLL backdoor.
The evasion tactics of SolarWinds hackers
As Microsoft’s security experts found, the hackers who organized the SolarWinds attack displayed a range of tactics, operational security, and anti-forensic behavior that drastically diminished the ability of the broken organizations to detect their malicious actions.
“[T]the attackers behind Solorigate are skilled and methodical operators who follow the best practices of Operations Security (OpSec) to minimize traces, stay under the radar and avoid detection, “Microsoft revealed.
“During our in-depth analysis of the attacker’s tactics, techniques and procedures (TTPs) seen through the lens of Microsoft 365 Defender’s rich telemetry, we observed some techniques worth helping other defenders to better respond to this incident and use hunting tools such as Microsoft 365 Defender Advanced Hunting or Azure Sentinel queries to search for potential traces of past activity. “
Some examples of escape tactics from SolarWinds hackers as discovered and highlighted by Microsoft:
- Methodical avoidance of shared indicators for each host compromised by using custom Cobalt Strike DLL implants on each machine
- Camouflage and blend into the environment by renaming tools and binaries to fit files and applications on the compromised device
- Disable event logging with AUDITPOL for practical keyboard activity and then re-enable
- Create firewall rules to minimize outgoing packets for certain protocols before making noisy network recordings (remove after completing these operations)
- Carefully plan lateral movement activities by first eliminating security services at targeted hosts
- It is also believed that it used time stamping to change the timestamps of artifacts, and to use livestock procedures and tools to prevent the discovery of malicious DLL implants in affected environments.
In addition, Microsoft provides a list of the most fascinating and unusual tactics, techniques, and procedures (TTPs) used in these attacks.
The company also said it was “actively working with MITER to ensure that any new technique resulting from this incident is documented in future updates of the ATT & CK framework.”
Supply Chain Attack Timeline
A detailed timeline of these attacks shows that the Solorigate DLL backdoor was deployed in February and used in the disadvantaged networks in late March (SolarWinds also provided an overview of the timeline earlier this month).
After this stage, the threat actor prepared the customized Cobalt Strike implants and made selected targets of interest until early May, when the practical attacks were likely to begin.
‘The removal of the backdoor generation feature and the compromised code of SolarWinds binaries in June may indicate that the attackers have reached a sufficient number of interesting targets by this time, and that their goal has shifted from deploying and activating the back door (Stage 1) to be operational on selected victim networks, to continue the attack with practical activity using the Cobalt Strike implants (Phase 2), “Microsoft adds.
Microsoft discovered these new details during their ongoing investigation into the SolarWinds supply chain attack orchestrated by the threat actor detected as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42) and Dark Halo (Volexity).
The identity of the threatening actor remains unknown, but a joint statement issued by the FBI, CISA, ODNI and the NSA earlier this month says it is likely a Russian-backed Advanced Persistent Threat (APT) group.
Kaspersky also made a link between the SolarWinds hackers and the Russian Turla burglary group after finding that the Sunburst back door had features that overlapped with the Kazuar back door that was tentatively linked to Turla.