The SolarWinds supply chain attack, named SUNBURST by FireEye and Solorigate by Microsoft, has affected a large number of companies such as FireEye, Google, and Microsoft. The attack involved an APT group which compromised an update server for the SolarWinds Orion product line, inserting a malicious backdoor. 

As our contribution in responding to this attack, we used Elemendar’s AI analyst to process three cyber threat intelligence (CTI) reports from multiple security vendors.

This report focuses on indicators of compromise (IOCs) due to the need for these IOCs to be processed rapidly to detect and mitigate potential network breaches within a company. The results output by Elemendar are posted at the end of this report. 

One observation is that no single CTI report has a complete listing of IOCs, with some listing malicious C2 domains while others listing malicious file hashes. Therefore, for a human security analyst to gain a full listing of IOCs, multiple reports must be manually processed, in detail, and without mistakes. While we selected three reports for this exercise to avoid a large data dump, ideally a larger number of reports would be used to ensure that all IOCs were collected. 

With a human analyst, this takes time, while Elemendar’s AI can analyse multiple reports simultaneously and tag all relevant information in a fraction of the time a human analyst could process the same reports. Human analysts are also prone to mistakes. It is all too easy for a file hash to be labelled as a filename or to mistype a value, especially when time is of the essence. 

The analysis of the CTI reports listed was conducted using only results output by the Elemendar trial. It took less than 30 seconds to receive all outputted reports via email. 

The advantage of being able to quickly ingest a large number of CTI reports quickly is that the results of these reports can easily be cross-referenced against each other to ensure the accuracy of data within the reports.  Even with the very small sample size given in this report, four of the five SHA1 hashes within the Trend Micro report can be seen in the Reversing Labs report and similar with the malicious domains in the Trend Micro and McAfee reports.

Many thanks to Reversing labs, Trend Micro and McAfee for their prompt publishing of essential security research. We hope that this meta-report will help defenders implement these actionable insights even faster.

Lee Jones – CTI Analyst – Elemendar

Elemendar CTI report analysis

Reversing labs report

CTI Report: 

https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth

STIX2 Report: https://trial.elemendar.com/stix/bundle–2a844dad-f1f4-4bf9-a499-8ec500388326

Malicious filenames

solarwinds.orionimprovement.client.dll

solarwinds.orion.core.businesslayer.dll

SHA1 file hashes

22719783b2469ad312a40c1b200dd24d6a03618d

76640508b1e7759e548771a5359eaed353bf1eec
2f1a5a7411d015d01aaee4535835400191645023

5e643654179e8b4cfe1d3c1906a90a4c8d611cea

1b476f58ca366b54f34d714ffce3fd73cc30db1a

d130bd75645c2433f88ac03e73395fba172ef676

Windows processes used

advapi32.dll

kernel32.dll

Trend Micro report

CTI Report: https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html

STIX2 Report: https://trial.elemendar.com/stix/bundle–91490614-27ca-4074-9f1e-5f866b6dae98

Malicious domains

avsvmcloud.com
databasegalore.com
panhardware.com
incomeupdate.com
highdatabase.com
deftsecurity.com
zupertech.com
thedoccloud.com

SHA256 file hashes

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

SHA1 file hashes

d130bd75645c2433f88ac03e73395fba172ef676

2f1a5a7411d015d01aaee4535835400191645023

1b476f58ca366b54f34d714ffce3fd73cc30db1a

76640508b1e7759e548771a5359eaed353bf1eec

75af292f34789a1c782ea36c7127bf6106f595e8

McAfee report

CTI Report: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/

STIX2 Report: https://trial.elemendar.com/stix/bundle–ede93a93-872b-404d-bde1-439b46a8facb

Malicious domains

incomeupdate.com

panhardware.com

highdatabase.com

avsvmcloud.com

thedoccloud.com

databasegalore.com

zupertech.com

deftsecurity.com

digitalcollege.org

websitetheme.com

virtualdataserver.com

Malicious filenames

solarwinds.orion.core.businesslayer.dll