War Room

Shells from above

RSM logo

Home > Forensics > SolarWinds Orion Supply Chain Attack

SolarWinds Orion Supply Chain Attack

By

On December 13, 2020, FireEye reported a major intrusion into several high-visibility targets stemming from malicious code inserted into SolarWinds Orion software update packages. An external nation-state-level threat actor compromised the network of the SolarWinds IT management software company, allowing them to insert their own code into legitimate digitally signed update packages. When customers updated their SolarWinds Orion installations, this additional code was loaded, granting the threat actor remote access to the customer’s network through this platform.

SolarWinds provides network monitoring software suites to a significant number of entities, including the White House, government agencies, Fortune 500s, universities and many others. From the response released by SolarWinds [1], an independent forensic investigator [2], and the Securities Exchange Comission [3], this appears to only be affecting the SolarWinds Orion platform. Since the company serviced a number of large and important companies, they were targeted in a supply chain attack.

The attackers were able to breach the SolarWinds perimeter with the intention of introducing malicious code into their product’s patch cycle. This backdoor was then unknowingly distributed to customers, in order to compromise sensitive and potentially classified networks. After gaining access to their target networks, the attackers would have been able to escalate privileges and retrieve sensitive information.

The highly sophisticated attack likely started last March, when the malicious patch was initially distributed to target customers, and continued until the compromise was recently identified. Although SolarWinds provides services to over 300,000 customers, it is estimated only 18,000 were impacted. There is speculation of an external nation state being behind the attack, but patching and responding is currently more important than attribution.

 

So what does this mean for those affected?

The SolarWinds Orion platform Versions 2020.2.1 HF 1 and 2019.4 HF 6 are the current secure versions. SolarWinds has also indicated that a new hotfix will be released soon to remove any malicious modules and add security features.

“An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.” [1]

There are a number of steps that we recommend to address the issue:

  • Read the security advisory by SolarWinds [1] to ensure that you have a clear understanding of what happened. FireEye’s write-up is also a good source of technical details [2].
  • Upgrade your SolarWinds Orion platform to Version 2020.2.1 HF 1 or 2019.4 HF 6 as soon as possible. If on/after December 15, 2020, upgrade to Version 2020.2.1 HF 2.
  • Collect log files for the SolarWinds systems from March to the present. This will aide in the identification of a compromise.
  • FireEye has released detection rules for the malware, and is found on their Github [5].
  • Scan your environment for the file indicators of compromise released by FireEye [6].
  • Identify if any outbound traffic has connected to malicious C2 domains. [7]
  • If you have indicators of compromise, we recommend beginning digital forensics and incident response (DFIR) processes.

 

Update: Dec 17th, 2020

More research has been done on the nature of the malware and its operation, this has lead to the following additional recommendations.

  • We recommend changing all passwords associated with the SolarWinds products affected by this breach. They may have been exfiltrated regardless of further action on the network.
  • A threat researcher released a method of potentially enumerating compromised domains, we recommend checking this list to validate your domain [8]. Just because a domain is not on the list DOES NOT mean it was not compromised. Do not be lulled into a false sense of security.

 

References:

  1. https://www.solarwinds.com/securityadvisory
  2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  3. https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm
  4. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
  5. https://github.com/fireeye/sunburst_countermeasures/tree/main/rules
  6. https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv
  7. https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
  8. https://twitter.com/RedDrip7/status/1339168187619790848