Immersive Labs: SUNBURST Supply Chain Compromise

Overview of Immersive Labs

In light of recent events, I took a break from my usual schedule to squeeze in this lab from Immersive Labs called SUNBURST: A Supply Chain Compromise. Immersive Labs is a cybersecurity training platform similar to RangeForce which I posted about before. I actually knew about Immersive Labs before RangeForce and have used their platform previously because they offer a FREE Digital Cyber Academy for students (I finished a Digital Forensics lab that I still have not posted on here!).

What I didn't know is that they recently started a Community Edition that is actually separate from the Digital Cyber Academy. I think they started it in response to platforms like RangeForce offering something similar. It gives those who are not students a chance to experience Immersive Labs for FREE. This post isn't a comparison post to RangeForce or a review of Immersive Labs. Maybe I'll save that for another post. This is about my experience with a current event lab that they offer in their Community Edition.

Solar Winds, SUNBURST, Solorigate, OH MY!

I was really intrigued about the Solar Winds compromise. As an aspiring Security Analyst, what about this incident is not to be in awe of? The numbers speak for themselves: an estimated 18,000 customers believed to be affected. The sophistication of the code in the malicious .dll file. The possible connection of the incident to a nation-state. The avenue of exploit. I didn't even know what "supply chain" meant in terms of cybersecurity before starting this lab. I was amazed by the FireEye report that correlated the Solar Winds incident to the FireEye breach. As a cybersecurity student, all I could do was read about it and try to learn what I could about the incident from reports and security professionals that I follow on social media. That is until I saw Immersive Labs post about their SUNBURST blog and associated lab.

SUNBURST: A Supply Chain Compromise -- Lab

Immersive Labs: Community Edition is "a smorgasbord of handpicked interactive labs covering offensive and defensive security". What is cool about it compared to the Student Digital Cyber Academy is that they have labs that immerse people in current security events. "How current are they?" is probably what you're asking. Take the Solar Winds incident for example. I believe public reports of that incident happened on December 13th. By December 18th, Immersive Labs had this 5-part lab series on the incident online for people to experience! That is pretty damn amazing to stand up a lab that quickly.

They posted the lab with an accompanied blog post on their social networks. Here's an overview of what the labs entailed:

Compromising SolarWinds NMS (Theory)

• In this lab the participant will learn what an NMS is, why it is a target, and how it’s relevant to the SUNBURST hack.

Who are UNC2452? (Theory)

• Participants will examine APT29 from a MITRE ATT&CK viewpoint in this lab, discovering what the group does and how it operates.

Build Server Investigation (Practical)

• In this lab participants assume the role of a threat hunter, reviewing a build server and its build stages to identify what malicious code has been injected and where.

IoC Investigation (Practical)

• Continuing as a threat hunter, participants must take the indicators of compromise provided by FireEye and review their NMS host to see if it has been affected

Malware Investigation (Practical)

• Finally, participants must take a sample of the malware and identify any additional IoCs that will help them identify suspicious activity on their systems and networks.

Immersive Labs categorizes each of their lab series as a whole by Difficulty Range: Beginner, Intermediate, Expert. SUNBURST is considered an Expert lab. In addition to the Difficulty Range, they also rate each specific lab as a number between 1 and 10 with 1 being the easiest and 10 being the hardest. You can see how each lab stacks up in the screenshot above.

If you're a regular on my website, then you know I am not an expert. But I was so determined to get some hands-on experience with SolarWinds that I went for it. The two labs you see above rated as 7s really put me through the ringer. It took a lot of time, reading, research, hard work, and determination to get through it. If you're familiar with RangeForce, then Immersive Labs is a very similar platform with its cloud-based VMs. Except the labs don't give you any hints or how the answer is formatted. And there isn't an Immersive Labs community that you can turn to for help. The closest thing I found to it is an Immersive Labs subreddit. But when I decided to complete this lab, there was only one other person I know of that attempted it at the same time I did (shoutout to @wearyandroid on Twitter who helped me get through the Build Server lab). Essentially, if you're stuck, you're really on your own to figure it out.

I spent a couple of days on Build Server Investigation, and at least 3 days on BusinessLayer.dll Analysis. It was the first time that I walked away from a challenge to do something else so that I could come back to it with a fresh mindset. And it worked!

Key Takeaways

All the practical labs were amazing!

In the Build Server Investigation lab, Immersive Labs had a "stand-in" malware to represent the one used in SolarWinds just to show us proof-of-concept of how the threat actor(s) may have compromised the build server. I was able to identify the tampered file from the non-tampered file by using the Windows command line to compare MD5 checksums. I investigated the build server to see at what point in the build process the malware was injected into the server and found the exact file path where the malicious file is stored on the build server.

In the Identifying IoCs lab, I used Linux tools to generate file hashes from actual SolarWinds malware samples. I used the actual FireEye YARA rules against the suspected pieces of malware to identify the malware family. Then, I performed OSINT investigations using the generated IoCs I found to get more information from the malware like the signature of the SolarWinds certificate used to sign the malicious DLL file using VirusTotal.

In the BusinessLayer.dll Analysis lab, I did some reverse engineering of the ACTUAL BusinessLayer.dll malware file! I was super stoked on this one because Malware Analysis, Reverse Engineering, and Threat Hunting is something I'd really LOVE to get into eventually! And it really took a lot out of me because I literally completed this lab entirely on my own! I familiarized myself with dnSpy to analyze the source code (I never used this application before in my life, let alone reverse engineering source code). I was able to extract important IoCs from the source code itself like: the hard-coded hash that the malware uses to make sure the running process hosting the malware is a specific name before executing; the value that each FNV-1A hash is XORed against to create the subdomains for the C2. Additionally, hundreds of strings within the source code were also obfuscated (encoded and compressed), and I used Python's zlib and base64 packages to deobfuscate the strings. Doing this allowed me to figure out things such as: the hard-coded named pipe to ensure that it is the only malware instance running on that endpoint; the possible subdomains created by the DGA for C2; and what is added to the HTTP header of GET and HEAD requests to the C2.

In Conclusion

If everything I said above sounds like gibberish, it did to me too when I started the labs. But I spent A LOT of time trying to figure this incident out on my own, and it really does make a lot more sense to me, and at a fairly low-level too! I can now go back and read the analysis reports and not feel completely lost! I'm a far cry from calling myself a reverse engineer/malware analyst. And obviously, nothing that I accomplished with this lab is groundbreaking -- but for me, it is! I accomplished things in this lab that I could only have dreamed of only a couple of months ago! And it is really reassuring to know that I'm able to do things like this with minimal help and absolutely no supervision.

You can see in my screenshot above of the labs, it has the "Time Required" for each lab. I can tell you that those time intervals were pretty spot on for me EXCEPT for the 7/10 labs. Those took me DAYS! Like I've mentioned in other blogs, I'm just doing the best that I can with what I have and what I know. I'm sure a seasoned professional could have had this entire lab finished within the 60 minutes duration (if not quicker) that the lab says it is tagged for. But this post also goes to show that an absolute beginner in security can still complete an "Expert" lab with a lot of hard work, determination, and PATIENCE!

For all my "Projects", I create full write-ups of my processes because I want to show any potential employers that visit my website my thought process and proof-of-concept of things I've accomplished in the security space. So I have linked my write-ups below (as usual), but I'm going to keep them password protected for now since the lab is still fairly new. If you fit that description, please contact me for access.

For completing the labs, I got this cool badge:

Additionally, I was the first person in the Immersive Labs: Community Edition to complete the last and most difficult of the 5 labs! How's that for hard work and determination?! And for that, I got this cool Pioneer badge that everyone sees when they start the BusinessLayer.dll Analysis lab:

Immersive Labs takes it a step further and also provides a reporting function (even in Community Edition) where you can get an "Activity Report" of your progress. It gives you something you can show (or print out and give) to a teacher, employer, etc. as proof of completion:

If you'd like to take a stab at this challenge, then sign up for the Immersive Lab: Community Edition! Remember, if you have an Immersive Labs: Student Edition, it isn't the same and this SUNBURST lab won't show up there.