SpiderLabs Blog

Trustwave’s Action Response To the FireEye Data Breach & SolarWinds Orion Compromise

Written by Trustwave SpiderLabs | Dec 31, 2020 6:55:00 AM

UPDATES

This blog post was updated March 17 to include information on new Trustwave IDS updates.

This blog post was updated Jan. 26 to include more information about Trustwave product protections for the Raindrop malware.

This blog post was updated Jan. 15 to include more information about Trustwave product protections for the SUNSPOT malware and CVE-2020-10148.

This blog post was updated Dec. 31 to provide more information about the SUPERNOVA malware and Trustwave product protections.

This blog post was updated on Dec. 23 to provide more information about Trustwave’s response to the FireEye tools breach and SolarWinds Orion platform compromise, as well as additional clarifications to Trustwave’s non-use of affected versions of SolarWinds Orion.

 

FireEye Red Team Tools Breach

We wanted to share the plans and procedures we've put in place in response to the FireEye breach that was made public on Dec. 8, 2020.

As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

At this time, there is no evidence or reason to believe that the FireEye breach or the theft of the red teaming tools has impacted any Trustwave customers or partners.

FireEye has also indicated that the attackers attempted to access information on internal systems related to "government customers" specifically, but there has been no evidence of data exfiltration from the affected systems. Additional investigation and adherence to responsible and legally required disclosure policies by FireEye will be required in order for a client-specific impact from these events to be further determined.The tactics, techniques and procedures (TTPs) of the threat actor(s) responsible for the breach and indicators of compromise (IOCs) are still being investigated.

We are diligently monitoring the situation, and when/if those additional details are released, we will immediately update our signatures and actively monitor and detect any indication of the threat actor(s) within our customers' assets.

More Security Actions Taking Place by Trustwave:

  • Trustwave has implemented all FireEye-recommended countermeasures and updates in response to the FireEye red team tool breach.
  • Trustwave Secure Email Gateway (SEG) customers received an update Dec. 14 to detect the stolen red teaming tools, should they be sent over email. Trustwave SEG can also detect email-borne exploits that are used by the FireEye tools (CVE- 2017-11774).
  • SNORT signatures were added on Dec. 18 to Trustwave IDS devices for detecting typical traffic from these tools.
  • Trustwave is continuously monitoring for the unauthorized usage of the stolen FireEye toolsets within our managed customer environments across geographies.
  • Trustwave released a ModSecurity WAF update for the commercial rules that block web-based exploits used by the stolen FireEye tools.
  • Trustwave Security Testing for Networks released checks on Dec. 22 for our network scanner to detect most of the vulnerabilities that are used by the stolen FireEye tools and the VMware vulnerability that was also used in these attacks (CVE-2020-4006).

Trustwave will continue to be transparent, vigilant and collaborative with the security community to protect organizations from any malicious actors that may attempt to utilize these tools.

SolarWinds Orion Platform Compromise

On Dec. 13, FireEye confirmed a SolarWinds supply chain attack as the cause of their breach via a malware-laced update for the SolarWinds Orion IT network monitoring software (affected SolarWinds Orion versions 2019.4 HF 5 and 2020.2 with no hotfix installed, and 2020.2 HF 1). The incident was reportedly the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation-state.

FireEye has named this malware SUNBURST and published a technical report with detection rules on GitHub.

According to FireEye, this newly discovered supply chain attack campaign is believed to be widespread, affecting public and private organizations that use SolarWinds Orion around the world.

SolarWinds has also published information on a separate malware reported by third parties that affects the Orion platform, referred to as SUPERNOVA.

"SUPERNOVA is not malicious code embedded within the builds of our Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."

SolarWinds has provided immediate recommended actions for affected Orion platform users to protect against SUNBURST and SUPERNOVA – via the official security advisory – as of Dec. 29.

On Dec. 13, the US Cybersecurity and Infrastructure Agency (CISA) also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.

According to CISA, "This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."

The CISA directive for organizations under scope to disconnect or power down SolarWinds Orion products immediately is not optional.

According to CISA, "Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available." Please reference the CISA emergency directive for further updates and supplemental guidance.

Trustwave does not use the SolarWinds Orion platform versions currently known and named to be compromised by SolarWinds (2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1) and has not used these versions at any point in time. At this time, there is no evidence or reason to believe that the SolarWinds Orion compromise has impacted Trustwave.

Trustwave is continuing to conduct diligent investigations in order to further determine company, customer and partner impact.

More Security Actions Taking Place by Trustwave:

  • Trustwave technology and services teams across the globe are actively working with customers to discover and mitigate any threats as a result of the SolarWinds Orion platform compromise.
  • The Trustwave SpiderLabs threat hunting team is actively hunting across customers subscribed for hunt services for all known IOCs. For all other customers, Trustwave has run hunts using the Trustwave Fusion platform for the IP addresses associated with SUNBURST.
  • Trustwave Security Testing for Networks released checks on Dec. 17 for our network scanner to detect the known malicious versions of SolarWinds Orion.
  • Trustwave SpiderLabs global threat operations teams are taking action at the threat detection layer by adding new detection rules in the coming days for all customers based on intelligence provided.
  • Trustwave released an IDS device update on Dec. 24 to detect TLS, SSL and DNS traffic from the SUNBURST malware.
  • On Jan. 8, Trustwave released a ModSecurity WAF update for the commercial rules that protect against the exploits of the SolarWinds Orion API Authentication Bypass Vulnerability (CVE-2020-10148).
  • Trustwave Secure Email Gateway (SEG) and IDS device can detect the SUPERNOVA malware.
  • Trustwave Secure Email Gateway (SEG) customers received an update Jan. 15 to detect the SUNSPOT malware. The SUNSPOT malware is used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product, according to CrowdStrike.
  • Trustwave Secure Email Gateway (SEG) customers received an update on Jan. 21 to detect the Raindrop malware. Trustwave managed IDS/IPS devices also received an update on Jan. 22 to detect the Raindrop malware. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike, according to Symantec.
  • On March 11, Trustwave pushed an IDS release with the following signatures related to the SolarWind attacks:
    •  5 new SLR Rules for Nobelium/Goldmax (SolarWinds Nobelium)
      • All five signatures trigger on hard-coded and variable cookie values used during session key requests and C2 traffic
    • 1 new SLR Rule for Sunshuttle DNS Request (reyweb.com) (SolarWinds Nobelium)
      • Triggers on DNS requests for the known c2 domain reyweb.com