Share this page!

Kyle Hanslovan Profile picture
Twitter logo
14 Dec, 7 tweets, 6 min read
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking
The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
The default installation directory for this binary is "C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin". Going to have the team do a quick survey across all hosts to see if anything shakes up. Will report back what we find (hoping nothing 😅)
Found another unsigned version of SolarWinds.Orion.Core.BusinessLayer.dll out there. Confirmed there is not an OrionImprovementBusinessLayer class within this version. virustotal.com/gui/file/b9ce6…
.@cannedmanatee found a SolarWinds.Orion.Core.BusinessLayer.dll signed August 11, 2020 5:41:59 AM that I confirmed doesn't have the OrionImprovementBusinessLayer class. Might provide timeline insight if the SolarWinds CI/CD pipeline was pwned. virustotal.com/gui/file/b9ce6…
I've had a bunch of requests for path information on SolarWinds.Orion.Core.BusinessLayer.dll. TL;DR - it can be in a boat load of locations. Thankfully, my team and fellow security junky/MSP hero @_mbmy has put together a great list of places to check: gist.github.com/KyleHanslovan/…
Was notified by @alex4652 the 2019.4 Hotfix 6 DLL is 1/70 in VirusTotal. After analyzing the binary, I've confirmed there is no OrionImprovementBusinessLayer class present and is likely a @Webroot false positive. Still signing w/47D92... cert thumbprint. virustotal.com/gui/file/8dfe6…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kyle Hanslovan

Kyle Hanslovan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KyleHanslovan

Kyle Hanslovan Profile picture
15 Dec
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image) Image
Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out. Image
The malicious methods are PascalCase and also start with familiar verb prefixes like Get* and Is*. Image
Read 7 tweets
Kyle Hanslovan Profile picture
14 Dec
Only 1 / 67 antivirus engines list SUNBURST backdoor as malicious - SolarWinds.Orion.Core.BusinessLayer.dll virustotal.com/gui/file/32519… #SUNBURST #UNC2452 Image
SolarWinds' digital certificate hasn't been revoked yet. Image
The full compromised package is still being hosted online as well 😓 hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp ImageImage
Read 16 tweets
Kyle Hanslovan Profile picture
17 Feb 19
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x
We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x
For starts, we could use some perspective to make sure there’s not more we’re missing in regards to lateral movement.

We are aware of email spreading and browser password scraping plugins. However, we like to scope this to stopping local self-propagation of the bot first. 3/x
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @KyleHanslovan has new unrolls!

Check out other threads from @KyleHanslovan!

Read all threads by @KyleHanslovan