Detecting Sunburst (AKA the SolarWinds Compromise) With RITA and AI-Hunter
By now you’ve seen multiple news reports that FireEye, NASA, the Pentagon, the Treasury and Commerce departments, and possibly even the White House, was compromised via an attack against a common network management package called SolarWinds. Both FireEye and SolarWinds have a very good write up on the attack. In short, if you or your MSP is a SolarWinds customer, there is a likelihood that your network has been compromised, permitting the attackers to take control of hosts inside your network. Most organizations are playing catch up to identify if they have been impacted.
Sunburst Command and Control Traffic
The attack modified the code that gets distributed as part of the SolarWinds Orion package. This modification included code that sets up a beacon command and control (C2) channel that calls back to a C2 server. Attackers can then queue up commands on the C2 server which will be executed when the infected system checks in.
Typically, Sunburst uses the HTTP protocol to connect out to the Internet, but this can be changed. Further, the C2 connection typically calls home at 60-second intervals, but this can also be changed. The IP addresses of the C2 servers can obviously be changed as well. The software has the ability to jitter the C2 beacon signal, neutralizing all beacon detection tools that rely on K-Means clustering.
Impact on RITA and AI-Hunter Customers
If you are using our open-source tool RITA, or our commercial product AI-Hunter, no changes are required to detect Sunburst activity on your network. Prior to this announcement, our customers were already capable of detecting this type of traffic. No patches or updates are required. If you have analyzed all beacon traffic detected on your network, you should be all set.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.