In light of the SolarWinds breach, we want to help our customers who may have questions on how a Zero Trust Architecture can act as an effective approach to limit the impact of such attacks. VMware has been steadfastly monitoring the evolving situation as we learn more about the supply chain compromise.  

The SolarWinds Compromise 

At this point, the consensus is that organizations with a SolarWinds product that downloaded the SolarWinds-Core-v2019.4.5220-Hotfix5.msp update package should consider themselves breached and start an investigation. In addition, given the extent of the breach, every organization that uses SolarWinds products should be on alert for the possibility of an intrusion.   

Note that the update package was signed on March 24, 2020, which means that the victims of this attacks might have been compromised in late March or early April 2020. Once the attackers successfully compromised the SolarWinds Orion hosts, they may have moved laterally to the hosts monitored by the tool, and possibly beyond those hosts by using additional credentials collected in the exploitation process. Some actions to be taken in order to address this breach are provided by DHS CISA’s directive 21-01 [1] 

The analysis of this threat is still a work in progress, but some of the peculiar characteristics of this attack have surfaced and could be used as a signal for detection [2].  

For example, the attackers seem to use a custom in-memory dropper, called TEARDROP, to deploy Cobalt Strike’s BEACON component, among others. 

An interesting technique used by the malicious actors is the use of a host name in the victim’s infrastructure as the name of the Command-and-Control server (which is usually installed in a Virtual Private Server in the same country of the victim to prevent the detection of geolocation-based anomalies). 

In addition, to hide their tracks, the attackers used different credentials for the initial remote access and the subsequent lateral movement activity, sometimes being able to forge Windows authentication tokens [3] 

Finally, the malware used a DGA-based algorithm that generates a query that encodes the name of the compromised host when retrieving the name of the C&C server, likely to allow for the creation of victim-specific C&C servers. 

How Can VMware NSX Help Detect and Mitigate This Threat? 

  • The micro-segmentation capabilities of NSX’s Service-defined firewall are an effective protection mechanism to prevent compromised server running the SolarWinds tools from contacting other parts of the network.  
  • Micro-segmentation, combined with NSX Intelligence’s automated policy formulation, can help reduce the possibility of damage caused by unwanted software. In addition, the SolarWinds Orion hosts on an organization’s network can be easily identified using the NSX Advanced Threat Prevention.  
  • The malware analysis capabilities provided by NSX Advanced Threat Prevention are now able to recognize the SUNBURST backdoor, as well as the Cobalt Strike BEACON. 
  • In addition, the NSX Advanced Threat Prevention solution has several signatures to detect Cobalt Strike BEACON-related communication, and a number of DNS names (FQDNs) and IP addresses related to SUNBURST’s infrastructure have been recently included in NSX’s Advanced Threat Prevention  blocklists (Note that these new signatures are currently being testedwhich means that the corresponding events are generated by the solution, but they are not currently displayed to the customer until there is enough confidence that the rules are functioning properly). 
  • NSX’s network traffic analytics component (NTA) has the capability to identify anomalies associated with unusual connections, such as the connection between a compromised SolarWinds server and the external C&C endpoint. In addition, the NTA component of NSX leverages ML-based techniques to detect anomalous DNS activity, which could highlight the attack patterns followed by this threat.  

Conclusions 

Understanding the SolarWinds breach and its repercussions is a work in progress, and new details will emerge from the analysis of artifacts and telemetry. However, from this incident Zero Trust Architecture can be an effective approach to limit the impact of supply-chain attacks. 

As part of VMware’s Zero Trust Architecture, NSX Service-defined Firewall and Advance Threat Prevention capabilities, combined with the in-host visibility and detection provided by VMware Carbon Black EDR, offer a unique opportunity to deploy a comprehensive security solution that provides the visibility and fine-grained enforcement necessary to address this emerging threat. 

When attacks occur of this magnitude, we are all one team of security practitioners that are working and collaborating together to ensure that we are all safe from cyber threats. As we, and the community, continue to discover new elements of this attack, will continue to monitor developments and provide updates on how NSX (or other VMware offerings) may help with any new vectors or means that are identified. 

Contributors 

Giovanni Vigna, Sr. Director NSBU Threat Intelligence Team 

Chad Skipper, Global Security Technologist 

Bibliography 

[1]   DHS CISA, “Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise,” 13 December 2020. [Online]. Available: https://cyber.dhs.gov/ed/21-01/. 
[2]   FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor,” 13 December 2020. [Online]. Available: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.
[3]   Microsoft, “Customer Guidance on Recent Nation-State Cyber Attacks,” 13 December 2020. [Online]. Available: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/.