Stories from the SOC -SolarWinds Sunburst attack with malicious file

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Threat Detection and Response customers.

Executive summary

In late 2020, SolarWinds was the victim of a cyberattack that spread to their clients and went undetected for months. The foreign entities were able to add malicious code into the Orion system and gain access to companies of all sizes and across industries. The malicious code was distributed to all of the systems via a routine software update. Attacks like this are becoming increasingly frequent, amplifying the importance of security solutions that can quickly detect a potential breach.

The LevelBlue Managed Threat Detection and Response Security Operations Center (SOC) discovered a malicious file related to the SolarWinds malware attacks through our integration with Carbon Black. Carbon Black was made aware of this attack by FireEye, who made the discovery in December 2020 and provided a “Breach Overview” that outlines their utilization of custom queries and vulnerability management to display vulnerabilities found within an organization. With the discovery of this information, the SOC was able to work with the customer to mitigate this threat.

Investigation

Initial alarm review

Indicators of Compromise (IOCs)

The initial alarm occurred due to a file within the organization being flagged as malicious by Carbon Black, a vulnerability detection service.

When reviewing the initial alarm, we noticed that the file was flagged as malicious through the file hash (a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc), which is used to verify the integrity of a file. If a file hash changes after transfer, this could be an indicator that the file was corrupted. Since we did not have a way to compare the listed file hash with the original to detect a change, we expanded the investigation further.

Expanded investigation

Events Search

The first step in identifying the file hash as an Indicator of Compromise (IOC) was to run it through multiple Open Source Intelligence Tools (OSINT). The file hash registered as highly malicious through VirusTotal, IBM X-Force, and Talos File Reputation.

VirusTotal File Hash Reputation Check

IBM X-Force File Hash Reputation Check

Talos File Reputation Check

Event deep dive

Given the confirmation of the malicious file, we conducted a search for all events that contained this file hash. We discovered that there was only one event that contained the malicious file hash and it did not indicate any form of mitigation.

Response

Building the Investigation

Due to the need for immediate remediation, we created a High severity investigation for the customer. We summarized our analysis of our observations, findings, references, and recommendations for the customer.

Customer interaction

We immediately reached out to the customer via phone call to alert them of the malicious file within their organization. After further investigation on their end, the customer then informed us that this file was in fact malicious and as a response, they deleted the file and scanned all endpoints for known IOCs. In addition, they have banned all future files with Carbon Black Responses. The quick detection and escalation from the SOC to the customer allowed them to locate the malicious file and take immediate action to prevent the spread of the SolarWinds attack. After the customer was made aware of the compromise, they were able to strengthen their infrastructure and rule out future related threats.