Share this page!

Kyle Hanslovan Profile picture
Twitter logo
15 Dec, 7 tweets, 4 min read
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image)
Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out.
The malicious methods are PascalCase and also start with familiar verb prefixes like Get* and Is*.
The actor also took the time to make sure variables and objects followed the expected camelCase formatting. My take on this is attention to detail and pride in one's <shady> work.
The patience to wait 288 to 336 hours (12 - 14 days) for your first callback is also indicative of the actor's composure. This isn't a simple smash and grab operation for them. github.com/Shadow0ps/solo…
Although their string obfuscation techniques were anything but special, their codebase and domains successfully evaded security scrutiny for nearly a year ¯\_(ツ)_/¯. Here are screenshots of some CryptoHelper and ZipHelper classes and methods.
Their use / co-opting of the existing SolarWinds.Orion.Core.BusinessLayer.dll.config XML file was quite witty. I've written an implant or two and really appreciate their "living off the land" approach as opposed to registry keys or an encrypted/high entropy blob on disk.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kyle Hanslovan

Kyle Hanslovan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KyleHanslovan

Kyle Hanslovan Profile picture
14 Dec
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking
The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
The default installation directory for this binary is "C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin". Going to have the team do a quick survey across all hosts to see if anything shakes up. Will report back what we find (hoping nothing 😅)
Read 7 tweets
Kyle Hanslovan Profile picture
14 Dec
Only 1 / 67 antivirus engines list SUNBURST backdoor as malicious - SolarWinds.Orion.Core.BusinessLayer.dll virustotal.com/gui/file/32519… #SUNBURST #UNC2452 Image
SolarWinds' digital certificate hasn't been revoked yet. Image
The full compromised package is still being hosted online as well 😓 hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp ImageImage
Read 16 tweets
Kyle Hanslovan Profile picture
17 Feb 19
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x
We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x
For starts, we could use some perspective to make sure there’s not more we’re missing in regards to lateral movement.

We are aware of email spreading and browser password scraping plugins. However, we like to scope this to stopping local self-propagation of the bot first. 3/x
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @KyleHanslovan has new unrolls!

Check out other threads from @KyleHanslovan!

Read all threads by @KyleHanslovan