Threat Hunting, Security Incident Response, and Vulnerability Response with ServiceNow for SUNBURST and SUPERNOVA Attacks

Executive Summary

On December 13, 2020, Reuters reported that malicious actors had gone after both the U.S. Department of Treasury and the U.S. Department of Commerce.

Microsoft analyzed the attack chain and wrote that malicious actors might have compromised SolarWinds internal build or distribution systems. The attackers then infected the company’s signed libraries that used the targeted company’s digital certificates with code for a backdoor detected by FireEye as “SUNBURST.”

On December 16, 2020, SolarWinds published security advisory note and recommend customers to upgrade Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2.

Security advisory note also had a list of 18 Products from SolarWinds software publisher which has been compromised by the recent sunburn attack.
1. Application Centric Monitor (ACM)
2. Database Performance Analyzer Integration Module* (DPAIM*)
3. Enterprise Operations Console (EOC)
4. High Availability (HA)
5. IP Address Manager (IPAM)
6. Log Analyzer (LA)
7. Network Automation Manager (NAM)
8. Network Configuration Manager (NCM)
9. Network Operations Manager (NOM)
10. Network Performance Monitor (NPM)
11. NetFlow Traffic Analyzer (NTA)
12. Server & Application Monitor (SAM)
13. Server Configuration Monitor (SCM)
14. Storage Resource Monitor (SRM)
15. User Device Tracker (UDT)
16. Virtualization Manager (VMAN)
17. VoIP & Network Quality Manager (VNQM)
18. Web Performance Monitor (WPM)
For the most current information, please https://www.solarwinds.com/securityadvisory

Given the broad usage of these SolarWinds applications, customers may need to:

1. Identify exposure and remediate vulnerable software: determine where they are using vulnerable SolarWinds applications, and then rapidly update these applications or, where they cannot perform an upgrade, use technology to shield their infrastructure from damage or misuse.
2. “Threat Hunt” for SUNBURST and SUPERNOVA attack activities: If they are using SolarWinds, they need to hunt for evidence of a compromise or attack using standard and advanced attack investigation techniques.

Post-compromise Activity

Threat Detection, Security Incident response, and Vulnerability Response with ServiceNow
ServiceNow ITOM Visibility and Discovery applications collect deep level asset information on the datacenter servers and cloud compute layer. Agentless discovery solution can discover hardware, installed software, running process, TCP/IP connections. ITOM Discovery also provides ways to collect tracked configuration files and execute file-based discovery to collect file evidence for ServiceNow Vulnerability Response / Security Incident Response and Software Asset Management.
SolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds-signed plugin component of the Orion software framework that contains an obfuscated backdoor which communicates via HTTP to third party servers. Evidence of this can be detected by looking for the SolarWinds.BusinessLayerHost.exe process being ran.
Evidence of SolarWinds.BusinessLayerHost.exe can be identified from the table below.
Table Name in ServiceNow: cmdb_running_process
Name = SolarWinds.BusinessLayerHost.exe

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. Attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll

Process Name = SolarWinds.BusinessLayerHost.exe
Process Parameter contains SolarWinds.Orion.Core.BusinessLayer.dll

File-based Discovery for collecting evidence with file existence
ServiceNow Discovery offers a file-based discovery method to scan for files and report its existence. The File-based Discovery [com.snc.discovery.file_based_discovery] plugin can be requested by ServiceNow Discovery customers.
For collecting file evidence, configure the file-based discovery scan to target the potential folder structure.
(1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It can be found in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or
%WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll

(2) if so, the malicious version uses this Signer and Signer Hash:
"Signer": "Solarwinds Worldwide LLC"
"SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"

(3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise

Add the name of the file you wanted to scan in to samp_custom_file_name table.

Table name : samp_custom_file_name
File Name : SolarWinds.Orion.Core.BusinessLayer.dll
File Name : netsetupsvc.dll

Discovery will look for file-based evidence and will populate the cmdb_file_information table with the file name, installed on (server name), installation path, file size information.

If you have Software Asset Management, file-based discovery will also create installed software version in software installation table. ( cmdb_sam_sw_install )

IP Addresses located in victim’s country
The attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.
ServiceNow Discovery detects server traffic information and populates traffic data in to cmdb_tcp table. You can see the list of port connections opened by the running process exe and look for further evidence on the incoming and outgoing traffic data.

Security Incident Response

Managing the lifecycle of Security Incidents end to end
As security incidents are isolated, aided by ServiceNow’s Discovery application and the organization’s threat monitoring efforts, use ServiceNow Security Incident Response application to achieve the following outcomes:
1. Identify & scope the security incident addressing the “who, what, where, why, and how.” beginning with an automated ingestion of the underlying security alert & performing automated triage with asset intelligence from the CMDB and 3rd party threat intelligence integrations
2. Document actions taken and gather evidences
3. Track the eradication and recovery of the affected systems or users comprehensively.

Create Security Incident Records and contextualize them with Security Tags (Ex: Sunburst-Backdoor) and threat intelligence:

Track all impacted users, accounts, and devices comprehensively in the Security Incident Record:

Use guided playbook tasks (build rapidly with flow designer’s lo code/no code experience) and document actions taken with evidence:

Create child security incident records to individually investigate and track recovery actions:

Automate consolidation and reporting of activities across incidents using automated playbooks (leverage out of the box playbook templates built with flow designer):

Gain visibility into detection and response coverage of the organization on the attacker techniques

The Threat Intelligence module in Security Incident Response includes support for the MITRE ATT&CK framework. This helps security teams in identifying and limiting threats on organizational assets and to communicate the effectiveness of their cybersecurity tools and policies to Business stakeholders.
Note : Customers can refer to MITRE’s current mapping of adversary behaviors employed in the Sunburst/Solorigate attack here : https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json

Security Analysts can record the Attacker Tactics and Techniques into Security Incidents and visualize them in the MITRE ATT&CK card:

Security teams in charge of administering 3rd party Cyberthreat prevention solutions can map detection coverage for the attacker behaviors (in the Data source mapping table) & the strength of their prevention policies (in the Technique coverage mapping table):

Security leaders can visualize and track all the attacker behaviors using the comprehensive built in Heat map views:

Please refer to the MITRE ATT&CK feature documentation for additional information
 
Using Vulnerability Response to Manage and Respond to the Vulnerabilities

There are a few ways to determine if you have vulnerable versions of SolarWinds Orion in your environment.

Vulnerability Response Third-Party Integrations
ServiceNow offers out of the box integrations with vulnerability scanners from Tenable, Qualys, Rapid7, and more. If you have recently run a vulnerability scan using a supported third-party scanner that already incorporates the SolarWinds vulnerabilities (e.g. Tenable ID Nessus Plugin ID 144198, Qualys QID 13903, etc.), you can manage the vulnerabilities directly from within Vulnerability Response using the associated Vulnerability Groups See the section Managing the Remediation Process Using Vulnerability Groups below for information about how to do this.

Using Exposure Assessment to Check for Vulnerable Versions of SolarWinds Orion
Note: the following requires ServiceNow Software Asset Management and Vulnerability Response to be installed in your ServiceNow instance.
If you have not run a scan using your third-party vulnerability scanner, you can check your environment for installations of the vulnerable software using ServiceNow Exposure Assessment:
1. Under Vulnerability Response > Vulnerability Scanning, open Exposure Assessment.
2. Click New.
3. Fill out the form with the following:

• Publisher: SolarWinds
• Product: Orion
• Version: Leave blank, as there are multiple versions affected

4. Click Show Exposure.

Note: your results will look different than the screenshots in this document. These were provided for example purposes only.

This will show you the total number of vulnerable installations in your environment. With this information, you can now create items for the Vulnerability Manager to track patch progress and tasks for the asset owners to own for remediation purposes.
1. Once the exposure assessment has been run, review the Exposed Discovery Models. Any models that are unaffected by the exploit can be deleted (e.g. Orion Platform version 2020.2.1 HF 2)
2. Click Create Vulnerable Items.

3. Select New Vulnerability from the drop down and enter the following:

• Vulnerability (CVE-ID): CVE-2020-13169
• Vulnerability Summary: An HTML injection vulnerability

Note: you can check to see if you have already imported CVE-2020-13169 by browsing to Vulnerability Response > Libraries > NVD and searching the National Vulnerability Database Entries for the IDs. If it exists, select Existing CVE and choose the appropriate one for Step 6.

Once the Vulnerable Items are created, you can review all instances of the vulnerability associated to a single Configuration Item by clicking on the Assessed Vulnerable Items tab.

Managing the Remediation Process Using Vulnerability Groups
1. Click the Vulnerability Groups to view the newly created work tasks. Vulnerability Groups are Vulnerable Items that have been grouped based on specified conditions. For more information, please see https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/concept/vulnerability-groups.html#vulnerability-groups
2. Click the first Vulnerability Group, click Create Change, and complete the form with the following:

• Applies to: Select either All active vulnerable items or split the group
• Add Cis to CR: keep checked
• Change type: Emergency
• Priority: 1 – Critical
• Assignment Group: should be filled in automatically; change if needed
• Assigned to: if you want to assign to a specific person, select them here
• Planned end date: Select a date based on your crisis response plan
• Short Description: An HTML injection vulnerability
• Description: Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account).
• Justification: [complete however you wish]
• Implementation plan: If you have Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, upgrade to 2020.2.1 HF 2.

If you have Orion Platform v2019.4 HF 5 or earlier, upgrade to 2019.4 HF 6
Both patches are available by logging into https://customerportal.solarwinds.com

3. The Vulnerability Manager can track patching progress in the Vulnerability Group record Remediation Status section.

Note: For SolarWinds Orion 2019.4 HF5 or earlier, you should repeat this process for an additional vulnerability that was also discovered, CVE-2020-14005. Advisory information can be found here and a patch is available here.

 
References

Observed malicious instances of SolarWinds.Orion.Core.BusinessLayer.dll

External References

• SolarWinds Advisory: https://www.solarwinds.com/securityadvisory
• Microsoft Security Response Center: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• SolarWinds notification to exclude the directory scan for Anti-Virus Files and directories to exclude from antivirus scanning for Orion Platform products (AV exceptions and exclusions): https://support.solarwinds.com/SuccessCenter/s/article/Files-and-directories-to-exclude-from-antivirus-scanning-for-Orion-Platform-products?language=en_US
• Emergency Directive 21-01 from DHS: https://cyber.dhs.gov/ed/21-01/