The objective of this alert is to warn customers of SolarWinds, who run the Orion software, of a potential security risk in their organization due to a compromise at SolarWinds.

This alert aims to clarify the risk and give system administrators the tools and guidelines to find and mitigate a potential security risk.

This is an ongoing development, and more information may become available as time progresses. We urge administrators to follow this alert up as well.

A compromise of SolarWinds left potentially thousands of customers with trojanized versions of their Orion software. This malicious version is digitally signed, and thus gives no direct indication of wrongdoing. After lying dormant for up to two weeks, the “SunBurst” backdoor – also known as “Solorigate” – becomes active, and gives full administrative control to the attackers. The malware masquerades its own traffic as the Orion Improvement Program protocol and uses legitimate plugins to store reconnaissance data, making its behavior hard to detect.

When the malware first tries to establish a connection to the attacker, it does so by trying to resolve avsvmcloud[.]com, which gives its Command and Control (C2) information via the CNAME record. Communication with the C2 is made to look like SolarWinds API communication, further blending it in the background noise.

The affected software in question is SolarWinds Orion. Due to the many unidentified factors, it is not yet known which versions are and are not malicious. SolarWinds has released mitigation and hardening instructions via their website³.
The technical blog of security vendor FireEye² describes several Indicators of Compromise (IOC) that may be of use. The cyber security community also worked together to produce a series of counter-measures and ways to detect malicious instances, and documented these in the FireEye Mandiant SunBurst Countermeasures Github repository⁴.

As this is an ongoing story, we strongly advise administrators running SolarWinds Orion to follow this up closely.