Microsoft shares tactics and evasion strategies used by hackers in SolarWinds supply chain attacks

The SolarWinds supply chain attack worries U.S. government agencies and companies deeply. It was estimated that no one would have guessed that so many government and corporate organizations would be infiltrated by hackers on a large scale.

Even technology giants like Microsoft have been infiltrated. Although the preliminary investigation has been completed, Microsoft security experts continue to conduct a detailed analysis.

A few days ago, experts from the Microsoft security team published a blog to share the tactics and evasion strategies used by hackers in SolarWinds supply chain attacks to deal with similar attacks in the future.

Of course, it turns out that if the hacking behavior is careful enough and then cooperated with mature tactics, there is indeed a chance to bypass the detection of top technology companies and finally complete the penetration.

Microsoft security experts said that hackers who planned SolarWinds supply chain attacks demonstrated a series of strategies, operational security, and anti-tracing behaviors to reduce the probability of detection.

Security experts said that the operators responsible for the second phase of the attack are skilled and methodical hackers who follow best practices in operational safety to reduce operational traces.

With the rich telemetry technology of Microsoft 365 Defender, security experts are able to observe the technology worthy of attention from the tactics and techniques used by hackers. Sharing these technologies will help security practitioners and defenders better respond to such security incidents.

The evasion strategy is mainly used to evade the investigation of anti-virus software and security experts, that is, to hide the traces of their operations to avoid abnormalities found in daily inspections.

In this attack, the hackers used a variety of evasion strategies to be relatively complete. Microsoft security experts will introduce some key evasion strategies to everyone.

Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:

  • Methodic avoidance of shared indicators for each compromised host. As discussed in the previous section, each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.
  • Camouflage and blending into the environment. Tools and binaries used by the attackers (e.g., ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations.
  • Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
  • In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
  • Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
  • We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

The information disclosed by Solarwinds is that hackers had already infiltrated as early as September 2019, and then began to lurking in wait for an opportunity to tamper with some components of the Solarwinds software.

The related backdoor program was deployed in February 2020, and then deployed in the internal network environment of the target organization in March, but it did not attack at this time.

After this stage, hackers waited patiently and custom-developed Cobalt Strike implants to select the targets of interest. The hackers did not start their attacks until early May.

In June, hackers deleted the backdoor program from the Solarwinds software. According to security experts’ guess, this means that hackers have infected enough targets at this time.

Next, the hacker starts to perform more attacks through the implant. This implant allows the hacker to remotely control the keyboard and then select the target to perform more operations.

Eventually, at the end of last year, employees of American security company FireEye discovered that some log files, and then investigated and found that the company had been infiltrated by hackers.

The Microsoft security team combined the analysis of major security companies to complete the overall traceability work. Of course, there is some content that Microsoft will not announce until a thorough investigation is completed.