Analysis of active exploitation of SolarWinds Web Help Desk

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – Exploited internet‑facing SolarWinds WHD to achieve unauthenticated remote code execution; [‘active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD)’]
• [T1059.001 ] PowerShell – Spawned PowerShell on compromised hosts to orchestrate payload download and execution via BITS; [‘compromised service of a WHD instance spawned PowerShell to leverage BITS for payload download and execution’]
• [T1105 ] Ingress Tool Transfer – Used BITS and other download mechanisms to transfer and execute payloads on compromised systems; [‘spawned PowerShell to leverage BITS for payload download and execution’]
• [T1053 ] Scheduled Task/Job – Created a scheduled task to launch QEMU at system startup under SYSTEM for hidden persistence and SSH exposure; [‘SCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN “TPMProfiler” /TR “C:Userstmpqemu-system-x86_64.exe … hostfwd=tcp::22022-:22″‘]
• [T1021.004 ] Remote Services: SSH – Established reverse SSH and SSH tunneling/port forwarding for lateral access and remote control; [‘reverse SSH and RDP access’ and ‘hostfwd=tcp::22022-:22’]
• [T1021.001 ] Remote Services: RDP – Used Remote Desktop sessions for interactive access and lateral movement; [‘established … RDP access’]
• [T1574.002 ] DLL Side-Loading – Abused wab.exe to load a malicious sspicli.dll to access LSASS memory and steal credentials; [‘used DLL sideloading by abusing wab.exe to load a malicious sspicli.dll’]
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Accessed LSASS memory via sideloaded components to harvest credentials; [‘access to LSASS memory and credential theft’]
• [T1003.006 ] DCSync – Performed DCSync to request password data from a domain controller using high‑privilege credentials obtained post‑compromise; [‘activity escalated to DCSync from the original access host’]