Burnt by SolarWinds attack? US releases tool for post-compromise detection

CISA releases a new tool called CHIRP for organizations investigating malicious activity on their on-premises systems stemming from the SolarWinds Orion update.

CISA, the US Cybersecurity and Infrastructure Security Agency, has released a new command-line tool to scan on-premises systems for traces of activity by the attackers behind the SolarWinds supply chain hack

CISA calls the forensics tool CHIRP, which stands for the CISA Hunt and Incident Response Program. 

"CHIRP scans for signs of APT compromise within an on-premises environment," CISA says in the alert

SEE: Network security policy (TechRepublic Premium)

CHIRP was built to look for signs of compromise related to SolarWinds Orion software, the widely used network monitoring software the hackers used to distribute the Sunburst/Solorigate backdoor to around 18,000 SolarWinds customers. Microsoft calls the threat actor Nobelium, while FireEye is tracking the same group as UNC2452

The new investigation tool is related to CISA's previously released Sparrow, which was for detecting attacker activity on compromised accounts and applications within Azure and Microsoft 365 cloud environments.  

CISA recommends that defenders use CHIRP to examine Windows event logs and the Windows Registry, as well as query Windows network artifacts and to apply YARA rules to detect malware, backdoors or implants. 

The tool has several plugins to search through event logs and registry keys. It also has a file with a list of indicators of compromise (IOCs) that the agency associates with activity in its previous AA20-352A (for Orion) and AA21-008A (Microsoft 365/Azure environments) alerts.  

Only some of the 18,000 SolarWinds customers affected by the trojanized version of Orion were selected by the the hackers for deploying a second strain of malware, called Teardrop. The attackers then escalated access within a target's cloud environment to breach Microsoft 365 infrastructure. 

CISA says CHIRP currently looks for: 

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Certain persistence mechanisms identified as associated with this campaign;
  • System, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.

Microsoft recently detailed three additional pieces of malware related to the Sunburst intrusion, including Sibot, a tool designed for persistence on an infected machine to support the download and execution of a payload from a remote C2 server. 

CHIRP is available on GitHub as a compiled executable or as a Python script.

FireEye in January also released a free tool on GitHub called Azure AD Investigator