On December 13, 2020, FireEye reported a global campaign that targeted a large sector of industries by threat actors who inserted malicious code within a software component used by the popular network management software SolarWinds. This software component, “SolarWinds.Orion.Core.BusinessLayer.dll”, which is normally installed as part of the SolarWinds installation process, had malicious code added to its software by threat actors. It is not yet known how the threat actors managed to gain access to the development environment in which they added and distributed this malicious code as part of an update to the software. This trojanized version of the dynamic-link library (DLL) has been given the name ‘Sunburst’ by FireEye. Versa’s Threat Research Team analyzed samples of “Sunburst” and have consequently published a report on how Versa protects their customers from this malicious code.
Surprisingly enough, researchers have found evidence of the presence of a second backdoor in the SolarWinds product. This second backdoor exists in the form of a .NET webshell added to an existing .NET DLL named “App_Web_logoimagehandler.ashx.b6031896.dll”. This DLL exposes an API that presents a logo of the software and is typically present in many interactions with the SolarWinds software. A packet capture of an admin login attempt shows a request going to this DLL in the figure below [see Figure 1]. The request going to the URL “/Orion/LogoImageHandler.ashx” is handled by this particular DLL. The valid parameters to this GET request can be seen in the figure below:
The response to this request is a PNG file containing the SolarWinds logo. The SolarWinds control panel is accessible over port 8787 and is on a windows server that is typically installed in the path C:\inetpub\SolarWinds\bin. The affected DLL “App_Web_logoimagehandler.ashx.b6031896.dll” is then copied to this path during installation and is invoked from that directory. A legitimate version of the DLL when being inspected inside a .NET decompiler, like DnSpy, looks as follows:
In Figure 2, the DLL has one class “LogoImageHandler” with a single method “ProcessRequest”. This method returns the SolarWinds logo in PNG format to the calling web browser. Threat actors have modified this DLL and added a second method named “DynamicRun”. This second method is visible in the next figure which is the decompiled output of the trojanized version of the DLL “App_Web_logoimagehandler.ashx.b6031896.dll”:
In addition, they have modified the method, “ProcessRequest,” such that it accepts extra parameters from an HTTP GET request. The four new parameters that were added are: “clazz”, “method”, “args”, and “codes”. These extra parameters were then passed onto the newly added “DynamicRun” method. In a legitimate version of the DLL, the method “ProcessRequest” looks as shown in the following figure:
However, in the version of SolarWinds that has been infected by threat actors, the “ProcessRequest” method looks as shown in the next figure [see Figure 5]. Comparing it with Figure 4, a small chunk of code has been added to accept the four new parameters and then call the newly modified method “DynamicRun”. The newly added malicious code in the method, “ProcessRequest,” has been highlighted below:
This new method is programmed to call on the “CSharpCodeProvider” class to compile a user supplied code string at runtime. The threat actor is employing a highly effective and stealthy technique in the same way that they employ the “CSharpCodeProvider” class. The class is called upon to compile any code string that they supply in an HTTP GET request to a vulnerable server. The “clazz” parameter in the GET request refers to the class name used in the supplied C# code which is passed in the parameter “codes”. The “method” parameter refers to a particular method invoked in the attacker’s code string and “args” will contain the arguments to the invoked method:
Note: The code highlighted in lines 14 and 15 ensure that the attacker supplied code does not compile to an executable file on the filesystem. Instead, when the code is compiled; it resides in memory from where it executes. This makes it close to impossible for a typical end point AV and EDR solution to detect this attack.
Versa’s Threat Research Team has created a fully functional proof of concept exploit which can execute code on windows servers running the infected version of SolarWinds. The proof of concept developed in Versa’s Threat Research Lab launches notepad.exe on the remote machine under the privileges of the running service. In the following figure [see Figure 7], the process “notepad.exe” is running under the account “NETWORK SERVICE” and subsequently launched by the exploit developed by our lab:
Versa’s Threat Research Labs would like to recommend that our customers and the public have their SolarWinds installations updated to the latest version. In addition, we recommend following the guidelines prescribed by Solarwinds. Versa Networks Secure SD-WAN has defense solutions like Intrusion Prevention System (IPS) and Anti-Virus (AV) that are already equipped to prevent threat actors from taking advantage of existing installations affected by SUPERNOVA. Given the popularity of the software and its widespread deployment, there could be widespread “search and infiltrate activity” against affected systems in the coming days. It should be noted that the analysis in this blog is only for one of the recently discovered backdoors. The original backdoor, “Sunburst,” has been reported to drop other malicious code like “teardrop” and “cosmicgale”. These types of malicious code allow an attacker to harvest credentials, evade detection by sandboxes, and move laterally.
Trial
ROI
Contact
