Professionals from the KPMG Cyber Security Services team have been working with SolarWinds at the direction of outside counsel DLA Piper, since mid-December when SolarWinds announced that they had been the victim of a sophisticated supply chain attack. As disclosed by SolarWinds, limited versions of the SolarWinds Orion Platform software had been altered by threat actor(s) with malicious code. The code in question, a backdoor called SUNBURST1, was unknowingly made available to SolarWinds’ customers as part of three separate patches listed below:
|Platform Version||Release Date|
|2019.4 Hotfix 5||March 26, 2020|
|2020.2||June 4, 2020|
|2020.2 Hotfix 1||June 24, 2020|
There has been some confusion regarding the types of downstream malware potentially related to this attack. This blog post aims to provide information about the various types of malware that have been discovered , and to and clarify their relationship to the supply chain attack.
SUNSPOT – Attack of the SolarWinds Build Process
As detailed in SolarWinds’ blog post, KPMG discovered malware – referred to as SUNSPOT – that was deployed for the purpose of covertly inserting a backdoor into the SolarWinds Orion Platform during the software build process. Working with CrowdStrike to reverse engineer the SUNSPOT malware, it was determined the malware was designed by the threat actor(s) to function solely within the SolarWinds’ Orion Platform software build environment.
From our analysis, we determined that the SUNSPOT malware ran in the background on SolarWinds’ Orion Platform software build servers watching for a new build to take place. At build time, SUNSPOT would insert a backdoor (referred to as SUNBURST) contained in a temporary source code file used by the compiler. At the conclusion of the software build process, SUNSPOT would clean up the temporary source code file to circumvent detection. Hence, the codebase remained clean, while the compiled code was signed with the valid SolarWinds software certificate and shipped with the SUNBURST backdoor.
Notably, the SUNSPOT malware was resident only on SolarWinds’ Orion Platform software build servers. It was not included in the compromised SolarWinds Orion Platform software patches or distributed to SolarWinds’ customers.
SUNBURST – The backdoor in SolarWinds Orion Platform software
The SUNBURST1 backdoor was inserted into a component of the SolarWinds Orion product through a library called SolarWinds.Orion.Core.BusinessLayer.dll, during the software build process. SUNBURST was designed to communicate with the threat actor(s) and provide them with a wide array of capabilities. This included actions such as executing arbitrary commands, creating and deleting files, downloading and executing additional files, manipulating registry keys, and rebooting the system.
To date, based on our on-going forensic review of SolarWinds’ software build environment and source code repository, there has been no evidence to indicate the SUNBURST backdoor was ever directly added to the Orion codebase.
Organizations have released public details related to malware used to further compromise systems in environments where there was a version of SolarWinds Orion Platform software that included the SUNBURST backdoor. SolarWinds, the company, did not directly deliver or otherwise propagate these second-stage malware executables. Instead, threat actor(s) used the capabilities built into the SUNBURST backdoor to deploy additional malware to their victims.
TEARDROP2 , reported to have been found on some compromised systems via the SUNBURST backdoor, was identified as a dropper (a program whose primary purpose is to deploy and execute an embedded program) that ran in-memory only and was used to deploy a modified version of Cobalt Strike (a full-featured penetration testing application often used for moving laterally through a network and establishing additional backdoors) to the compromised system.
RAINDROP3 was reported to have been found elsewhere on a network where there was already a system compromised by SUNBURST. Like the TEARDROP malware, RAINDROP was also a dropper used to deploy a modified version of Cobalt Strike to the compromised system.
SUNSHUTTLE4, also known as GoldMax5, was reported to have been found in some environments that had been compromised by the SUNBURST backdoor and used after the threat actor(s) gained access and moved laterally within the environment. SUNSHUTTLE/GoldMax is a malicious executable with common backdoor command-and-control capabilities.
GoldFinder5, reported to have been used by the SUNBURST threat actor(s) in some compromised environments, is a malware tool which appears to map the network routes to a specific command-and-control server. These routes and proxies are written to a log file, suggesting it may be used by a threat actor(s) to assist in reconnaissance of the victim’s network topology.
Sibot5, also reported to have been used by the SUNBURST threat actor(s) in some compromised environments, is malware that establishes persistence on a victim system and has the capability to download and execute payloads from a command-and-control server.
Following the discovery of SUNBURST, a separate, unrelated security threat was discovered and made public – a backdoor that is being referred to as SUPERNOVA. The SUPERNOVA6 malware, characterized as a web shell, was deployed by targeting a vulnerability7 in specific versions of the SolarWinds Orion product that has since been patched.
It is important to note that SUPERNOVA is not associated with the supply chain attack used to distribute the SUNBURST backdoor. SUPERNOVA was neither signed nor delivered by SolarWinds.
In summary, SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST into certain versions of the SolarWinds Orion Platform software. Unlike the SUNBURST backdoor, SUNSPOT was not included in the SolarWinds Orion Platform software patches that were made available to the public.
As reported TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.
Like SUNSPOT, neither TEARDROP, RAINDROP, SUNSHUTTLE/GoldMax, GoldFinder, nor Sibot were included in SolarWinds Orion Platform software or directly provided to customers through SolarWinds patches. Finally, while still relevant, the backdoor web shell SUPERNOVA, identified after the SUNBURST attack was made public, is not associated with the SUNBURST supply chain attack and was not included in any SolarWinds Orion Platform software patches.
|Type of Malware|
Future KPMG posts will outline how to identify similar attacks, demonstrate how the malware was found, and illustrate lessons learned and KPMG’s secure by design leading practices.
Special recognition of the KPMG Cyber Security professionals contributing to this blog include Andi Baritchi, Stephen Gibson, and Christopher Shanahan.
- CISA - MAR-10318845-1.v1 – SUNBURST: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a
- CISA - MAR-10320115-1.v1 – TEARDROP: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b
- Symantec – RAINDROP: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- FireEye – SUNSHUTTLE: https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.htm
- Microsoft – GoldMax/GoldFinder/Sibot: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- CISA - MAR-10319053-1.v1 – SUPERNOVA: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a