As mentioned in the previous post about GFI LanGuard as an alternative patch solution to SolarWinds Orion, this follow-up provides details about how GFI LanGuard can be used to locate devices and detect the SolarWinds Orion product versions which were exploited in the breach.
To do this we will first examine a bit about the breach, some of its behavior, and how GFI LanGuard can scan and detect the vulnerability.
SolarWinds Orion breach explained
The SolarWinds Orion breach can be explained by looking at a few key layers. The first layer of the breach was with SolarWinds Orion. The SolarWinds Orion (server side) product calls home to pull down updates and the changes it needs. These update servers were compromised..
With access to these critical update locations, attacking agents were able to place the malicious code there, and make it available for unsuspecting organizations to pull it down to the network.
Once inside the network the attackers were able avoid detection by hiding the compromise in a few ways. First, the malicious code did not start working immediately, in fact it took a 2-week “nap” before it would start executing. Then this code inside BusinessLayer.dll was digitally signed in a way that passed normal verifications. Finally, the code likely used several techniques when it first started executing to determine if it was in a sandbox before continuing. This is usually done by “pinging” both known network segments to identify if they exist or do not exist, as well as their own “hacker home base”.
So far, this is the equivalent of breaking and entering both SolarWinds and the victims’ networks, but it is notable that at this point the bad actors are simply in the right place. The next layer compromised is the user/authentication. For the hackers to gain access across the network they will need some “good enough” credentials. This might be in the form of service accounts, user accounts, or even administrator accounts. So to start, the hackers use their connection back to “hacker home base” to pull down anything needed, add this to the built-in tools of the operating system to identify what users it can see, and then attempt to compromise these users. The hackers may use multiple users to ensure fall-back plans and to gain access to different areas or systems.
Once they’re in, the hackers gauge how much access they have by trying other devices, network services, applications, and elements.
To avoid detection by the users they have compromised, they want the systems they access to believe that the “hacker home base” is a trustworthy, and “normal” location. This enables them to stay on the network longer and avoid detection.
Now the hackers are in position to do real damage. They can view and transfer data out of the network, place additional code to alert and monitor activity of others, and install additional software that appears trusted to spread across the network and begin to extract value.
What has made this breach so noteworthy is the type of customers affected:
- All ten of the top-ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
The SolarWinds Orion product is designed to manage and administer the network, including updating software and operating systems for critical security patches. This means that the level and types of users the hackers had immediate access to were some of the highest in the network.
Patching operating systems and critical applications requires changes to sensitive code on the device. Making these changes requires elevated user permissions such as local or domain level administrative users. As a result, the permissions-level of the users visible on the SolarWinds Orion server were likely some of the highest in the network.
Detecting SolarWinds breach in your network
There are two areas to consider when examining your network for a breach:
- Was the infected version of the SolarWinds Orion software ever installed in your network?
- Even if SolarWinds Orion is removed, the hackers could still be in your network reaching out to their domains.
Detecting infected SolarWinds Orion Software with GFI Languard
GFI LanGuard with the Dec 27th 2020 definitions update (#1480), can detect the SolarWinds Orion versions which may be contaminated with the malware (sunburst).
Using specific checksums which identify the malicious code, GFI LanGuard can detect if the Orion core files in their default location (C:\Program Files (x86)\Solarwinds\Orion match any of these.
A checksum is a small-sized datum derived from a block of data for the purpose of detecting errors that may have been introduced during its transmission or storage.
We have identified four major checksums that represent the critical vulnerability. We have also identified an additional two checksums with the same files; however it appears they do not have any malware with them. We will consider these low-risk vulnerabilities.
In all situations we recommend updating or removing this code by either removing the SolarWinds Orion software on that device, or upgrading to a secure version once the malware has been removed.
Running the GFI LanGuard scan
Before starting, ensure that GFI LanGuard has the latest updates and definitions to detect the SolarWinds Orion vulnerabilities. While this is automatically completed when you first install, it is also important to verify that you have GFI LanGuard set to update daily, to ensure you are on the latest update.
From the GFI LanGuard interface click on the “Configuration tab > Program Updates”. From Common Tasks select “Edit Program Updates” options. Here you can configure GFI LanGuard’s definitions to be updated daily.
To start GFI LanGuard program updates manually, click on the “Configuration tab > Program Updates”, then from Common Tasks click “Check for Updates”. Specify the location to download the updates, then click “Next” to proceed with the update. Select the updates and click “Next” then “Start” to begin the update progress.
Now that GFI LanGuard is updated with the latest definitions, we will want to perform a vulnerability scan across the network. While it is always good to run a complete scan, it’s also possible to run a manual scan to detect if the SolarWinds Orion vulnerability is present.
From the GFI LanGuard Home tab, click “Launch a Scan”, you will then be prompted to input what segment of your network(s) you would like to scan. You will also be asked what scanning profile to use. For the purpose of this post, you will want to select the Vulnerability Assessment.
More on this can be found in our support manual under “Scanning your Networks”. Here you will find that GFI LanGuard can support many different profiles and scanning types including scheduled scans.
Blocking domains used in the SolarWinds breach in your network traffic
In addition to ensuring you have removed any infected SolarWinds Orion code, it is still possible that hackers have placed other independent code on the network and it is still running. While performing deep scans across your network is important, it is best to ensure that the “hacker home base” domains are not being connected to.
To do this, GFI provides advanced web antivirus & content filtering through Kerio Control Next Generation Firewall. As of December 14th 2020, the Kerio Control product is able to identify and block all known domains which were involved in the SolarWinds compromise. These domains were entered into our definitions as malicious so that it would immediately prevent this traffic.
This domain list includes the following:
As new information is learned any additional domains will be added to the Kerio Control definitions to protect you.
To get started using GFI LanGuard to detect the SolarWinds Orion infected devices, you can download a free 30 day trial. In addition, you can download Kerio Control if you are concerned with your network traffic.
Both of these products are part of GFI’s Unlimited|Network Security Solution which is a single subscription providing multilayered security to prevent, detect, and remediate threats from entering your network.