In the Wild since March/2020
On December 13, 2020, FireEye announced the discovery of a highly sophisticated cyber intrusion that leveraged a commercial software application made by SolarWinds. It was determined that the advanced persistent threat (APT) actors infiltrated the supply chain of SolarWinds, inserting a backdoor into the product. As customers downloaded the Trojan Horse installation packages from SolarWinds, attackers were able to access the systems running the SolarWinds product(s).
This cyber-attack is exceptionally complex and continues to evolve. The attackers randomized parts of their actions making traditional identification steps such as scanning for known indicators of compromise (IOC) of limited value. Affected organizations should prepare for a complex and difficult remediation from this attack.
Pre- March 2020
SolarWinds was the victim of a complex & targeted supply chain cyber-attack, with the primary goal of inserting a malicious backdoor into trusted (signed) software, which could later be exploited in end-customer installations of the SolarWinds Orion platform. As reported by SolarWinds, the earliest visible account of the attacker shows test code inserted in the October 2019 software release.
https://www.solarwinds.com/sa-overview/securityadvisory It’s been claimed the attackers first gained access to SolarWinds infrastructure by exploiting an Authentication Service vulnerability. They were then able to persist and monitor emails & files, to identify the developers they needed to target. Once identified, the targets were infiltrated using Spear Phishing techniques to infect their local compute instances trusted to check-in source code.
Starting in March, 2020, SolarWinds began distributing infected patches via its website (as regular software patches) to unsuspecting SolarWinds Orion customers. The impacted versions are 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1.
Once upgraded to the vulnerable version, the initial foothold is obtained to the end customer’s SolarWinds Development Server, and the malware can then target desired endpoints to install the infiltration malware to those systems. Post-installation to the victim, it may download subsequent malware and eventually make connection to the C&C server.
December 8, 2020
On December 8, 2020, FireEye announced it was the victim of a cyber-attack, disclosing that some of its advanced “red team” tools had been stolen. Within the following week, they determined the breach was due to the SolarWinds vulnerability. https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
On December 13, 2020, CERT issued Emergency Directive 21-01 regarding this issue.
SolarWinds subsequently released a detailed announcement here:
Updated Technical Summary
SolarWinds Orion is prone to one vulnerability that could allow for authentication bypass. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication, potentially resulting in a compromise of the SolarWinds instance.
Who: Organizations in private industry and U.S. SLTTs with SolarWinds Orion Platform versions 2019.4 HF5, 2020.2 with no hotfix installed, and 2020.2 HF 1 within their environment.
Note: there is evidence of organizations being compromised by this same cyber threat actor without SolarWinds products present in the network. Recent evidence shows that not all organizations with the malicious SolarWinds software were compromised by the threat actor, and that there were different stages of the attack. Additional vectors are suspected and further investigation is ongoing by CISA and the FBI.
What: A cybersecurity intrusion campaign affecting public and private organizations carried out by sophisticated APT actors.
The United States government has determined that this attack poses a “grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private organizations.”Security Analysts continue to discover more malware and technical details associated with the attack. In addition to the originally discovered SUNBURST backdoor, four other distinct pieces of malware have been discovered as part of the attack.
An initial implant, SUNSPOT, is assessed to be responsible for delivering the SUNBURST backdoor into SolarWinds Orion products. TEARDROP is a post-exploitation, memory-resident dropper that, in the observed cases so far, has only dropped BEACON, a payload included with Cobalt Strike, a red team emulation tool used by both security professionals and malicious actors. BEACON supports lateral movement across a variety of protocols, and a number of command and control (C2) functions. Separately yet similar to TEARDROP, a loader dubbed RAINDROP, was recently discovered and appears to be used to move laterally across networks compromised via SUNBURST. All publicly available indicators that CIS is tracking related to these pieces of malware are linked in the Available IOCs section below.
When: Cybersecurity company FireEye discovered the supply chain attack against the SolarWinds products while investigating a compromise of their own network and publicly announced the discovery of the SUNBURST backdoor on 13 December 2020.
Confirmed compromises have occurred dating back to March of 2020. Forensic evidence has revealed files associated with this attack being compiled as far back as December of 2019.
Where: Multiple commercial industry verticals and government agencies around the world. According to a recent SEC filing by SolarWinds, approximately 18,000 of their 300,000 customers were running vulnerable versions of the SolarWinds Orion platform.
For this our any other cybersecurity concerns please feel to reach out to us at Get Started!