SolarWinds Orion サプライ チェーン攻撃: C2、軽減策、および専門家のガイダンス
Table of Contents
ソーラーウィンド問題に関するガイダンスについては、以下を参照してください。 DHS , SolarWinds , FireEYE , MSRC , and Microsoft
上級ユーザーの方はこちらをご覧ください。 FireEYE Countermeasures Repo この問題について。
SANS にはこのトピックに関する優れたビデオがあります here
実行可能ファイル:
問題のDLLはSolarWinds.Orion.Core.BusinessLayer.dll
and was signed as a ligitimate part of the SolarWinds suite, bypassing application control technologies. It is installed as a service.
The malicious code was injected into a legitimate DLL and is loaded into memory when the application runs. The code runs before the legitimate code. According to Microsoft, the code is activated when SolarWinds.BusinessLayerHost.exe
executable runs, but may the following may also load it:
ConfigurationWizard.exe
NetflowDatabaseMaintenance.exe
NetFlowService.exe
SolarWinds.Administration.exe
SolarWinds.BusinessLayerHost.exe
SolarWinds.Collector.Service.exe
SolarwindsDiagnostics.exe
Network information:
General Ranges:
- DNS CNAMEs for C2:
.appsync-api.eu-west-1[.]avsvmcloud[.]com
.appsync-api.us-west-2[.]avsvmcloud[.]com
.appsync-api.us-east-1[.]avsvmcloud[.]com
.appsync-api.us-east-2[.]avsvmcloud[.]com
- IP Ranges for C2:
20.140.0.0/15
96.31.172.0/24
131.228.12.0/22
144.86.226.0/24
Specifically Identified:
- DNS Names associated with C2:
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com
- IPs assosciated with C2:
13.59.205.66
54.193.127.66
54.215.192.52
34.203.203.23
139.99.115.204
5.252.177.25
5.252.177.21
204.188.205.176
51.89.125.18
167.114.213.199
DLL Locations :
C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\Solarwinds\Network Topology Mapper\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\Solarwinds\Network Topology Mapper\Service\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\DPI\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\NCM\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\Interfaces.Discovery\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\DPA\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\HardwareHealth\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\Interfaces\SolarWinds.Orion.Core.BusinessLayer.dl
C:\Program Files (x86)\SolarWinds\Orion\NetFlowTrafficAnalysis\SolarWinds.Orion.Core.BusinessLayer.dll
C:\Program Files (x86)\SolarWinds\Orion\NPM\SolarWinds.Orion.Core.BusinessLayer.dll
## Microsoft Malicious DLL Table: - See the GitHub Repository for more info
## FireEYE Indicator Table: - See the GitHub Repository for more info
## Sites Known to Be Hit By SunBurst/SolarFlare: