SolarWinds Orion Supply Chain Attack

If you use the SolarWinds Orion product, stop what you’re doing and read this

Emergency Directive 21-01

Discovered: SolarWinds acknowledged the hack on December 13^th

Impacted Tech: SolarWinds Orion

Attacker Location: Internal

Highlights: This was virtually impossible to defend against due to the supply chain compromise and the installation of a backdoor via trojanized updates.

It has been largely attributed to Russia’s Foreign Intelligence Service (SVR), also known as APT29 or Cozy Bear [1].

The SEC stated that there were no more than 18,000 customers that had a version of Orion with the backdoor installed [2] [3]. Some of the largest targets reported so far are the U.S. Department of Treasury, U.S. Department of Commerce, U.S. Department of Homeland Security, U.S. Cybersecurity and Infrastructure Agency, U.S. Department of State, and cybersecurity company FireEye [4]. This campaign may have started as early as spring 2020 [5].

The attackers evaded detection by masking their own traffic as the Orion Improvement Program protocol and then saved all of the data inside of legitimate plugin files so as to not arouse suspicion of the network defenders.  The malicious code did not allow anti-virus to detect it, because it deployed blocklists to prevent any anti-virus from running in the first place [6].

The password to SolarWinds’ update server in 2019 was allegedly “solarwinds123” according to security researcher Vinoth Kumar.  He reportedly alerted the company to this issue at the time [7].

This is currently being actively exploited in the wild [8].

What should I do?

The Cybersecurity and Infrastructure Agency issued Emergency Directive 21-01 to mitigate the threat.  If agencies have the capability, they are to forensically image the system memory and/or host operating systems hosting all instances of SolarWinds Orion and analyze the network traffic for the indictors of compromise.  After that, it instructed all affected agencies to disconnect or power down SolarWinds Orion products, block all traffic to and from hosts where any version of SolarWinds Orion software has been installed, and identify and remove all threat actor-controlled accounts and identified persistence mechanisms [8].

According to SolarWinds’ Security Advisory, it is recommended that customers upgrade from Orion Platform v2020.2 or 2020.2 HF 1 to the current version Orion Platform version 2020.2.1 HF 2 immediately if they utilize any of the following products [9]:

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module* (DPAIM*)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

NetFlow Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SRM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

References:

[1] https://www.crowdstrike.com/blog/who-is-cozy-bear/

[2] SEC Filing Reveals Number of Customers Impacted: https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/

[3] SEC Filing: https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm

[4] Governmental Agencies and Companies affected: https://www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/

[5] FireEye Threat Research: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[6] CISA Active Exploitation Alert: https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

[7] ‘Hackers used SolarWinds’ dominance against it in sprawling spy campaign’ by Reuters: https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

[8] CISA Emergency Directive: https://cyber.dhs.gov/ed/21-01/

[9] SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory

More reading:

‘Microsoft quarantining malicious Orion application binaries in quarantine’ by ZDNet: https://www.zdnet.com/article/microsoft-to-quarantine-solarwinds-apps-linked-to-recent-hack-starting-tomorrow/

FireEye Countermeasures: https://github.com/fireeye/sunburst_countermeasures

‘FireEye Discovered SolarWinds Breach While Probing Own Hack’ by Bloomberg: https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack