SolarWinds SUNBURST Trojan Backdoor

A new zero-day vulnerability has been identified for SolarWinds Orion Platform customers. If you are running SolarWinds versions 2019.4 HF 5 through 2020.2.1 and are utilizing the Orion Platform, you are vulnerable to the SUNBURST Trojan.

The vulnerability is delivered via a normal SolarWinds update which at the time of this bulletin appears to be targeted for any Orion Platform subscribers.

Many of these recommendations have been selected and modified from the https://cyber.dhs.gov/ed/21-01/ emergency directive.

1. Determine your SolarWinds version following the instructions located here https://support.solarwinds.com/SuccessCenter/s/article/Determine-which-version-of-a-SolarWinds-Orion-product-I-have-installed?language=en_US”


2. It may be possible that some or all hosts monitored by the SolarWinds Orion monitoring software may be compromised by threat actors and further persistence mechanisms may have been deployed. Analyze stored network traffic for indications of compromise, including new external DNS domains to which hosts (e.g., SolarWinds systems) have had connections.


3. Look for the following IOCs on the SolarWinds instance
   1. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
   2. [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

1. Block outbound internet access from the SolarWinds system to all external (Internet) destinations except for needed destinations for business functionality.


2. Install the latest SolarWinds version 2020.2.1 HF1 and verify the hotfixes using the instructions provided here https://support.solarwinds.com/SuccessCenter/s/article/Verify-hotfixes-that-have-been-installed?language=en_US


3. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

After all threat actor-controlled accounts and identified persistence mechanisms have been identified and removed:

1. Any SolarWinds Orion systems identified as compromised should be rebuilt.


2. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.


3. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
   1. See Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448
   
   
4. Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords.


5. Replace the user account by Group Managed Service Account (gMSA). See https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.


6. Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption.


7. Define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
   1. See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password, twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password.