IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 1
Log In or Register to download the BES file, and more.

3 Votes

Versioning - This is the latest version.

1IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 112/16/2020 9:40:23 AM
2IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 112/16/2020 10:21:16 AM
3IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 112/16/2020 11:11:43 AM
4IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 112/18/2020 12:53:09 PM
5IoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 112/21/2020 8:08:57 AM

Description

Learn more about this analysis online: https://bigfix.me/cdb/analysis/2998628

Learn more about this analysis online: https://bigfix.me/cdb/analysis/2998624

Learn more about this analysis online: https://bigfix.me/cdb/analysis/2998623

This Analysis retrieves Indicators of Compromise for several known-compromised versions of SolarWinds Orion's "netsetupsvc.dll" and "SolarWinds.Orion.Core.BusinessLayer.dll" files.

This method, "Method 1", checks for these files in several expected locations, but does not perform a full-disk scan.  For a full-disk scan, check for "Method 2" links at https://forum.bigfix.com/t/dhs-emergency-directive-21-01-solarwinds-thread/36420

This Analysis contains three properties:

"IoC-SolarWinds-Sunburst - Compromised netsetupsvc.dll present at \Windows\SysWOW64" - A True result indicates the malicious file appears to be present

"IoC-SolarWinds-Sunburst - Compromised SolarWinds.Orion.Core.BusinessLayer.dll is present" - A True result indicates a known-malicious version of the file is present

"IoC-SolarWinds-Sunburst - SolarWinds.Orion.Core.BusinessLayer.dll - All Details" - Retrieves file details for all versions of the DLL file detected.  No determination is made whether the file is valid or malicious.  This may be useful for comparing hashes as new IoC hashes are published in the future.

"IoC - SolarWinds SuperNova - Compromised app_web_logoimagehandler.ashx.b6031896.dll is present" - A True result indicates a known-malicious version fo the file is present

"IoC-SolarWinds-Sunburst - app_web_logoimagehandler.ashx.b6031896.dll - All Details" - Retrieves file details for all versions of the DLL file detected.  No determination is made whether the file is valid or malicious.  This may be useful for comparing hashes as new IoC hashes are published in the future.

Ref:

https://cyber.dhs.gov/ed/21-01/

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

https://unit42.paloaltonetworks.com/solarstorm-supernova/

Related:

BigFix Forum Technical Discussion

 

Method 1 Detection Relevance and Analysis:

 

Method 2 Scan Task and Analysis:

 

Emergency Directive 21-01

December 13, 2020

Mitigate SolarWinds Orion Code Compromise

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)

Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).

Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)

These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).


Background

SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

  • Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;

  • High potential for a compromise of agency information systems;

  • Grave impact of a successful compromise.

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

Please refer to the MITRE ATT&CK framework for possible tactics the threat actors are using to maintain persistence in the environment.

Required Actions

This emergency directive requires the following actions:

  1. Agencies that have the expertise to take the following actions immediately must do so before proceeding to Action 2. Agencies without this capability shall proceed to Action 2.

    a. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise.

    b. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.

  1. Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:

    a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.

    b. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

  1. By 12pm Eastern Standard Time on Monday December 14, 2020 agencies shall report as an incident to CISA (at https://us-cert.cisa.gov/report) the existence of any of the following:

    a. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]

    b. [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

    c. Other indicators related to this issue to be shared by CISA

  1. After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed:

    a. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.

    b. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.

    c. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.

    d. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:

  2. By 12pm Eastern Standard Time on Monday December 14, 2020, submit a report to CISA using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the affected devices were either disconnected or powered down.

These requirements apply to any agency network utilizing the SolarWinds Orion product. This includes any information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

CISA Actions

  • CISA will continue to work with our partners to monitor for active exploitation associated with this vulnerability. CISA will release additional indicators of compromise as they become available.

  • CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov).

Duration

This emergency directive remains in effect until all agencies have applied the forthcoming patch or the directive is terminated through other appropriate action.

Additional Information

Frequently Asked Questions

Answers to common questions appear below.

What does the directive mean by “expertise”?

By “expertise”, we mean that you have staff or supporting personnel that are properly trained in taking a forensic image of system memory and have tooling readily-available to immediately do so.


Property Details

ID2998634
TitleIoC Detection: DHS Emergency Directive 21-01 - SolarWinds / Sunburst - Method 1
DomainBESC
Keywords Solar Winds Orion ED21-01 SolarWinds.Orion.Core.BusinessLayer.dll DHS Sunburst
Added by on 12/21/2020 8:08:57 AM
Last Modified by on 12/21/2020 8:08:57 AM
Counters 5153 Views / 34 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 2 ratings. ** Log In or Register to add your rating.

Properties

IoC-SolarWinds-Sunburst - Compromised netsetupsvc.dll present at \Windows\SysWOW64
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
if (x64 of operating system) then (exists files "netsetupsvc.dll" of folders "syswow64" of windows folders) else false
IoC-SolarWinds-Sunburst - Compromised SolarWinds.Orion.Core.BusinessLayer.dll is present
Period 12 hours
 
  * Results in a true/false
Show indented relevance
exists (find folders "SolarWinds" of ((folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED"))); folders (unique values of (values "InstallLocation" of it as string) of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries))) whose (exists (files "Orion\SolarWinds.Orion.Core.BusinessLayer.dll" of it; files "SolarWinds.Orion.Core.BusinessLayer.dll" of it) whose (sha256 of it is contained by set of("e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d" ; "a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2" ; "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" ; "dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b" ; "eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed" ; "c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77" ; "ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8" ; "b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666" ; "20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9" ; "0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589" ; "cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6" ; "ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c" ; "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134" ; "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" ; "2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d" ; "92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690" ; "a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d" ; "a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc" ; "d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af") OR md5 of it = "b91ce2fa41029f6955bff20079468448") )
IoC-SolarWinds-Sunburst - SolarWinds.Orion.Core.BusinessLayer.dll - All Details
Period 12 hours
 
  * Results in a true/false
Show indented relevance
unique values of (it as string) of (pathname of it, version of it as string| "no version", sha1 of it|"NoSHA1", sha256 of it|"NoSHA256", md5 of it|"NoMD5") of files ("Orion\SolarWinds.Orion.Core.BusinessLayer.dll";"SolarWinds.Orion.Core.BusinessLayer.dll") of (find folders "SolarWinds" of (( folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED"))); folders (unique values of (values "InstallLocation" of it as string) of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries)))
SolarWinds Orion Installation Paths (from Registry)
Period 12 hours
 
  * Results in a true/false
Show indented relevance
pathnames of folders (unique values of (values "InstallLocation" of it as string) of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries))
SolarWInds Orion Product Details (from Registry)
Period 12 hours
 
  * Results in a true/false
Show indented relevance
(value "DisplayName" of it as string | "None", value "DisplayVersion" of it as string | "No DisplayVersion", value "InstallDate" of it as string | "No InstallDate", value "InstallLocation" of it as string | "No InstallLocation") of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries)
IoC - SolarWinds SuperNova - Compromised app_web_logoimagehandler.ashx.b6031896.dll is present
Period 12 hours
 
  * Results in a true/false
Show indented relevance
exists (find folders "SolarWinds" of ((folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED"))); folders (unique values of (values "InstallLocation" of it as string) of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries))) whose (exists (files "Orion\app_web_logoimagehandler.ashx.b6031896.dll" of it; files "app_web_logoimagehandler.ashx.b6031896.dll" of it) whose (sha256 of it is contained by set of("c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71")) )
IoC-SolarWinds-Sunburst - app_web_logoimagehandler.ashx.b6031896.dll - All Details
Period 12 hours
 
  * Results in a true/false
Show indented relevance
unique values of (it as string) of (pathname of it, version of it as string| "no version", sha1 of it|"NoSHA1", sha256 of it|"NoSHA256", md5 of it|"NoMD5") of files ("app_web_logoimagehandler.ashx.b6031896.dll") of (it; folders "Orion" of it) of (find folders "SolarWinds" of (( folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED"))); folders (unique values of (values "InstallLocation" of it as string) of keys whose (value "DisplayName" of it as string starts with "SolarWinds Orion" ) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries)))

Relevance

Used in 20 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!