Detecting the highly evasive Sunburst attack using an (old) ML model

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed mid-December a wide-spread cyber-attack against multiple government agencies, critical infrastructure providers and private sector organizations. The attackers breached their victims’ IT networks by compromising the software supplier SolarWinds, which allowed them to install a Remote Access Trojan (RAT) through SolarWinds’ software update mechanism.

The cyber-attack campaign - “Sunburst” - has been ongoing since at least March 2020 with a strong peak in April 2020, as an retroactive analysis of the global DNS provider Cloudflare showed [7]. In December 2020 the cybersecurity and threat research company FireEye detected the supply chain attack in their own network [2]. After FireEye published a detailed report on the attack [3], cybersecurity vendors started to build and distribute Indicators Of Compromise (IOCs) and signatures for the attack. Replicating the attack in our lab using the information published by our colleagues, we showed that our ExeonTrace NDR software can detect the malicious domains initially accessed by the RAT out-of-the-box without requiring a signature update (see below for the required configuration). In fact, the software can do so using a machine learning model trained more than two years ago – long before we became aware of the attack.

How is this possible? The RAT uses a Domain Generation Algorithm (DGA) to construct subdomains of avsvmcloud[.]com, which it accesses to locate its C&C server to load instructions. 0fhdojdvgeuskgkcds2n0i3uho1i2v0i[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com is an example hostname constructed by the algorithm, where the string “0fhdojdvgeuskgkcds2n0i3uho1i2v0i” encodes information on the compromised network (see [3] for more details). A traditional signature-based approach can only detect the attack, if there is an IOC for the accessed hostname (e.g., the IOC could be “*.avsvmcloud[.]com”). Of course, such an IOC can only be built after the attack has been detected, resulting in a chicken-egg problem.

ExeonTrace does not rely on signatures to detect DGA activity. Instead, ExeonTrace features an ML model that has been trained to detect the typical patterns occurring in hostnames generated with DGA. As our engineers built the model in a way that it generalizes quite well, ExeonTrace can detect DGA algorithms it has not been trained on. This is, we can detect novel cyber-attacks, for which no IOC exist yet and thus avoid the chicken-egg problem of signature-based approaches.

For more information on DGA, please see our CTO’s blog post “How hackers communicate – DGA”

csm_sunburst_blog.png ExeonTrace detecting Sunburst’s DGA.

  • Make sure that DNS data is forwarded to ExeonTrace and check in the configuration that “dgaDnsConfig.enabled” is set to “true” and “dgaDnsConfig.onlySld” to “false”.
  • To specifically search for the sunburst IOCs, load solarwinds-sunburst.json as custom threat feed. This ready-made blacklist contains IPv4, IPv6 and FQDN from different sources.
  • Check ExeonTrace's visualizations for unexpected cross-talking and outgoing data flows.

Exeon support is happy to support you with verifying the configuration.

Not a customer yet? Get instant visibility

  • Particularly in times like this, it is key to understand who is communicating with whom in your own IT network - simply because you can't prevent a breach if you can't see it.
  • ExeonTrace gives you full visibility into your IT landscape by analyzing data exported by your existing firewalls, switches, secure web gateways and general applications.
  • The setup of our software-only solution typically only takes a single day.

Timeline of the Sunburst Advanced Persistent Threat (APT) attack

March 2020 or earlier:

Attackers start compromising U.S. government agencies, critical infrastructure entities, and private sector organizations [1].

December 8, 2020:

The cybersecurity company Fireeye announces the detection of a highly sophisticated attack in their own network [2].

December 13, 2020:

Fireeye’s analysis of the incident shows that the attackers compromised their network through the software supplier SolarWinds [3]. The US Cybersecurity and Infrastructure Security Agency (CISA) issues an Emergency Directive [4] to immediately disconnect all SolarWinds Orion products from IT networks and investigate the networks for signs of intrusion.

December 13, 2020 and later:

Fireeye as well as independent companies start publishing Indicators of Compromise (IOCs) to detect the Sunburst attack [5,6].

References

[1] https://us-cert.cisa.gov/ncas/alerts/aa20-352a

[2] https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[3] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[4] https://cyber.dhs.gov/ed/21-01/

[5] https://github.com/fireeye/sunburst_countermeasures

[6] https://github.com/bambenek/research/tree/main/sunburst

[7] https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/

David Gugelmann

Author:

David Gugelmann

Co-CEO & Founder

email:

david.gugelmann@exeon.com

Share:

Published on:

22.12.2020

Newsletter
Terms of UsePrivacy PolicyImprint
contact@exeon.comphone: +41 44 500 77 21