Hunt for Earliest Artifacts of Compromise

Hunt for Earliest Artifacts of Compromise

Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.

In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.

Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.

Background

Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.

In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."

Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:

Sept. 4, 2019: Attackers start assessing SolarWinds

Sept. 12, 2019: Attackers start injecting test code

Nov. 4, 2019: Attackers stop injecting test code

Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed

March 2020: Estimated start of distribution of Solorigate malware backdoor

May 2020: Estimated start of actual hands-on-keyboard attacks

June 4, 2020: Attackers remove malware from SolarWinds build environment

Dec. 12, 2020: Solorigate malware supply chain attack disclosed

How the Attack Transpired

According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.

Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.

Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.

Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.

"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.

According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:

1. Avoidance of Shared Indicators for Each Compromised Host

Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.

2. Camouflage and Blending into the Environment

Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer. 

3. Disabling of Event Logging

Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.

4. Firewall Rules Modifications

Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.

5. Disabling of Certain Security Services

Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.

Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.

6. Timestomping

Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.

If All Else Fails

To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.

One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.

In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.