Zscaler Coverage for SolarWinds Cyberattacks and FireEye Red Team Tools Theft

Update

On Dec 13, 2020, FireEye published additional details regarding the breach involving SolarWinds Orion supply chain attack where multiple other organizations were also impacted. FireEye also published countermeasures to detect the campaign at various stages here.

Zscaler Coverage

Zscaler leveraged the details on the countermeasures provided, verified that there is existing protection and enhanced the coverage wherever required across the multiple layers of Zscaler security platform. Below is the list of threat names through which Zscaler products detect this campaign.

Advanced Threat Protection

• Win32.Backdoor.SunBurst
• Win32.Backdoor.BEACON

Malware Protection

• PS.Trojan.COSMICGALE
• Win64.Dropper.TearDrop
• Win32.Webshell.SuperNova [attribution not confirmed]
• Win64.Trojan.TearDrop
• Win32.Trojan.Sunspot
• Win32.Backdoor.CobaltStrike
• Win64.Backdoor.RainDrop [attribution not confirmed]

Details regarding these threat signatures can be found in the Zscaler Threat Library.

Advanced Cloud Sandbox 

We have ensured that Zscaler Cloud Sandbox flags the Sunburst Backdoor. As always, Cloud Sandbox plays a critical role in blocking any unknown variants of the malware.

Zscaler ThreatLabZ team is also actively monitoring this campaign and any activity around Sunburst Backdoor and will ensure coverage for newer IOCs as they are discovered.

What is the impact?

According to SolarWinds, 18,000 of its customers downloaded the backdoored version of the Orion software during March 2020 through June 2020 including many large enterprises and government agencies.

Is Zscaler affected?

Zscaler utilizes SolarWinds software and verified that none of our services are affected by this campaign. We published a trust advisory here: https://trust.zscaler.com/posts/6896

What can you do to protect yourself?

If you are using SolarWinds Orion framework in your environment, then check if the software version running is vulnerable (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) and update it to the latest version, according to the advisory here. Also, check if you are running any other affected SolarWinds products as listed in their advisory.

Detection Steps:

1. Search for the following on SolarWinds server:
   • Any file named “SolarWinds.Orion.Core.BusinessLayer.dll” (with one of the hash: 2c4a910a1299cdae2a4e55988a2f102e,846e27a652a5e1bfbd0ddd38a16dc865, b91ce2fa41029f6955bff20079468448)
   • File location: “C:\WINDOWS\SysWOW64\netsetupsvc.dll”
2. Scan all the files (from step 1) with Yara using the FireEye SunBurst rules
3. If there is a match, then it is possible that your environment has been affected. Follow the Incident Response guidelines by:
   • Isolating or disconnecting or powering down the system
   • Resetting all credentials used by SolarWinds
4. Search the logs for any connections to *.avsvmcloud[.]com or any activity flagged by above Zscaler threatnames.

Also, review additional recommendation guidelines from DHS and Microsoft.

Zscaler Platform Best Practices:

1. Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised SolarWinds servers.
2. Restrict traffic from critical infrastructure to an allow list of known-good destinations
3. Ensure you are inspecting all SSL traffic.
4. Turn on Advanced Threat Protection to block all known command-and-control domains.
5. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations.
6. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
7. Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture.
8. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access.

Zscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: zscaler.com/solarwinds-cyberattack

[-- End of Update --]

Background

On Dec 8, 2020, FireEye released a public disclosure that the company had suffered a data breach involving a nation-state actor. More details about this disclosure can be found here and here. The adversary was able to steal several red team tools developed by FireEye during this attack. As part of the disclosure, FireEye also released IOCs and signatures for detecting abuse of these red team tools in the wild. In this coverage advisory, we will provide details about Zscaler’s coverage for these IOCs.
 

What is the issue?

The red team tools that were stolen as part of this breach were internally developed by FireEye to test its customers’ security. These tools exhibit behavior similar to many known cyberthreat actors and do not contain any zero-day exploits or unknown techniques. According to FireEye, these tools utilize well-known/documented methods that are used by other red teams and they do not assist in greatly advancing an attacker’s overall capabilities. Many of these tools are exploiting several known Remote Code Execution (RCE) vulnerabilities across different products commonly found in enterprise networks such as legacy VPN products and several Microsoft applications. A full list of CVEs can be found here.

Regardless of whether these tools may or not be abused by an adversary in the future, it is important to ensure detection for any usage of these tools and minimize the potential damage.
 

What can you do to protect yourself?

• Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits.
• We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs. 
• It is equally important to have updated security software.
• Remote Desktop service access should always be restricted, or it should be turned off if not in use.
• As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources.
• Disable macros in Microsoft Office applications. Do not enable them unless it is essential to do so.
• Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential-harvesting attacks.

Zscaler coverage

Zscaler leveraged the details on the countermeasures published by FireEye and validated that protection is already available for the majority of the vulnerabilities listed. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections:
 

Advanced threat protection

• Win32.Exploit.CVE-2016-0167
• Win32.Exploit.CVE-2017-11774
• HTML.Exploit.CVE-2018-13379
• HTML.Exploit.CVE-2018-15961
• Win32.Exploit.CVE-2019-0604
• Win32.Exploit.CVE-2019-0708
• HTML.Exploit.CVE-2020-11510
• HTML.Exploit.CVE-2020-11580
• Linux.Exploit.CVE-2019-19781
• HTML.Exploit.CVE-2019-8394
• Win32.Exploit.CVE-2020-0688
• HTML.Exploit.CVE-2020-10189
• Win64.Exploit.CVE-2020-1472
• Win32.Exploit.CVE-2020-1472
• Win32.Backdoor.GoRAT
• VBS.Dropper.DNSExfiltration
• Win64.Backdoor.CobaltStrike
• Win32.Backdoor.BEACON 

 Malware protection

• Win32.Trojan.Heracles
• Win32.Trojan.LodKatz
• Win32.Trojan.Razy
• Win32.Trojan.Usru
• Win32.Downloader.CobaltStrike

Full list of threat names to detect FireEye's Red Team Tools abuse can be seen here.

Details related to these threat signatures can be found in the Zscaler Threat Library.
 

Advanced Cloud Sandbox 

We have ensured that Zscaler Cloud Sandbox flags these red team tools. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools.

The Zscaler ThreatLabZ team is also actively monitoring abuse attempts involving these red team tools and will ensure coverage for newer IOCs as they are discovered.