The objective of this alert is to warn customers of SolarWinds, who run the Orion software, of a potential security risk in their organization due to a compromise at SolarWinds.
This alert aims to clarify the risk and give system administrators the tools and guidelines to find and mitigate a potential security risk.
This is an ongoing development, and more information may become available as time progresses. We urge administrators to follow this alert up as well.
The American software company SolarWinds has been a recent victim of a security breach, that lead to the company shipping out trojanized versions of their Orion software. This trojanized version has been the root cause of security breaches in several high-value targets, which is also how the security breach at SolarWinds has been detected. This kind of attack is called a supply-chain attack which can have severe consequences.
The supply chain breach at SolarWinds may have begun as early as Spring 2020, but has only been detected on December 13th, after the reports of a breach in the U.S. Department of Treasury and the U.S. Department of Commerce. Analysis shows that several versions of the Orion software were malicious, including versions released between March and May.
Reuters1 gives a general overview of this breach, while FireEye2 gives a more in-dept technical view.
A compromise of SolarWinds left potentially thousands of customers with trojanized versions of their Orion software. This malicious version is digitally signed, and thus gives no direct indication of wrongdoing. After lying dormant for up to two weeks, the “SunBurst” backdoor – also known as “Solorigate” – becomes active, and gives full administrative control to the attackers. The malware masquerades its own traffic as the Orion Improvement Program protocol and uses legitimate plugins to store reconnaissance data, making its behavior hard to detect.
When the malware first tries to establish a connection to the attacker, it does so by trying to resolve avsvmcloud[.]com, which gives its Command and Control (C2) information via the CNAME record. Communication with the C2 is made to look like SolarWinds API communication, further blending it in the background noise.
Running a compromised version of SolarWinds Orion may give the attackers full access to the device and the information stored on it. It also gives a foothold to collect credentials of privileged users, and may serve as a jump-point in your network to attack other devices. If the malicious software is able to get a hold of SAML signing certificates, it may be able to make SAML tokens for even the highest privileged accounts in Azure Active Directory.
Affected Vendors and Workarounds
The affected software in question is SolarWinds Orion. Due to the many unidentified factors, it is not yet known which versions are and are not malicious. SolarWinds has released mitigation and hardening instructions via their website3.
The technical blog of security vendor FireEye2 describes several Indicators of Compromise (IOC) that may be of use. The cyber security community also worked together to produce a series of counter-measures and ways to detect malicious instances, and documented these in the FireEye Mandiant SunBurst Countermeasures Github repository4.
As this is an ongoing story, we strongly advise administrators running SolarWinds Orion to follow this up closely.