The Cybersecurity and Infrastructure Security Agency (CISA) released an alert regarding the active exploitation of the SolarWinds Orion platform. It was found by FireEye that SolarWinds Orion versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were compromised in a supply chain attack.
What Do We Know About This Attack?
- On Sunday, December 13, 2020, FireEye released a Threat Research report regarding SolarWinds Orion business software being compromised in a supply chain attack.
- The Orion software package contains a dynamic-link-library (DLL) file titled, “SolarWinds.Orion.Core.BusinessLayer.dll.”
- This file will lay dormant for up to two weeks before attempting to check in with the attacker’s C2 (command and control) infrastructure.
- This is essentially a “trojan horse” attack where the attacker utilizes a legitimate software package to get their malware into the victim’s environment.
A supply chain attack occurs when a portion of a vendor’s legitimate software is compromised by attackers and subsequently shipped (logically or physically) to customers. What makes these attacks so severe is that they are often hard to detect due to the use of valid software signatures.
Once the malware checks in with the C2 infrastructure and begins receiving commands, the attackers have done a number of things within victim environments including, but not limited to:
- Evade security products through advanced/unique techniques to avoid blocklists and masquerade as legitimate processes;
- Validate and enumerate the victim’s Windows Domain;
- Load custom versions of attack frameworks such as Cobalt Strike, dubbed “TEARDROP” by FireEye; and
- Exfiltrate data using seemingly legitimate traffic through the Orion Improvement Program (OIP).
Along with the announcement of the SolarWinds Orion supply chain attack, FireEye and SolarWinds have provided mitigations, detection rulesets, and a patch for affected systems.
The complete list of detections and mitigations provided by FireEye can be found here:
- https://github.com/fireeye/sunburst_countermeasures Patch information and additional guidance from SolarWinds can be found here: https://www.solarwinds.com/securityadvisory
As of just before midnight on Sunday, December 13, 2020, Assura had rulesets in place to detect and alarm on the malicious activity related to this attack within our Security Information and Event Manager (SIEM). Rest assured if you are a Managed SIEM client, we are actively monitoring for any signs of malicious activity related to this attack.
This morning, December 14, 2020, our Security Analysts were able to obtain copies of the compromised SolarWinds Orion software. Assura will be conducting their own analysis of the malware to determine if there is anything further to report or monitor for. We will update this post if more information becomes available.
If you are a SolarWinds Orion user, then please ensure you are using the latest patch available from SolarWinds – Orion Platform version 2020.2.1 HF 1.
Below are links to more resources regarding the incident:
If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if you have questions about the incident or our response. Otherwise, please contact us at [email protected].