Advisory Overview
SolarWinds Orion, a prominent IT monitoring and management solution, has been compromised with a backdoor by a sophisticated state-sponsored threat actor. The application has been discovered communicating with unknown third-party servers through traffic deliberately designed to mimic normal activity. This compromise was highly sophisticated and affects many public and private organizations across the world. Any organization that utilizes SolarWinds Orion should follow the steps provided by CISA later in this article to contain and remediate any potential issues.
Technical detail and additional information
What is the threat?
A vulnerability has been discovered in SolarWinds Orion, one of the most recognizable names in IT monitoring and management. It appears that the malicious state-sponsored actors temporarily being referred to as UNC2452 have compromised Orion with a backdoor being referred to as Sunburst. This Supply Chain attack has compromised Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. This compromised plugin turned Orion into a backdoor that was found communicating via HTTP to unknown third-party servers, potentially allowing threat actors into highly secured networks across the globe. At this time, the campaign has affected public and private organizations across the globe and does not appear to be targeted.
Why is this noteworthy?
SolarWinds is a preeminent player in the IT management world, and a compromise of their Orion management software has endangered organizations both public and private across the entire world. Most notably SolarWinds has said its technology is utilized by many facets of the U.S. government such as the Pentagon, every branch of the military, the Postal Service, and even the Office of the President. At this time, it does not appear that this attack was targeted, but the activity has been tentatively linked to a group known as APT29 who is associated with the Russian Foreign Intelligence Service. Orion was compromised as part of a “Supply Chain attack”, where actors target a less-secure element of business operations in order to gain a foothold. By compromising this link in the supply chain, the actors now have access to systems that were harder to attack directly.
What is the exposure or risk?
The potential risk stemming from this compromise is high simply due to the nature and number of the users that this incident has compromised. Any organizations that have installed the malicious Orion update stemming back at least from Spring 2020 have had their systems compromised with this backdoor. The compromised system will after an initial dormant period attempt to connect to a command and control (C&C) server, which is even carefully constructed to mimic normal SolarWinds communication. The exact nature of how this backdoor is being exploited has not been disclosed, but a malicious actor having undetected remote access to the networks of governments and major organizations across the world can cause sizable damage.
What are the recommendations?
If you are using SolarWinds Orion in your environment, consider following the below recommendations:
- Determine if you are running the impacted version:
| Versions | Release Date |
| 2019.4 (Hotfix 5) | March 26, 2020 |
| 2020.2 | June 4, 2020 |
| 2020.2 (Hotfix 1) | June 24, 2020 |
| 2020.2.1 | August 25, 2020 |
| 2020.2.1 (Hotfix 1) | October 29, 2020 |
- If you are using the above outlined SolarWinds Orion versions, consider your SolarWinds Orion platform compromised and take a backup for future forensic needs.
- As part of the investigation process, SolarWinds admin’s should conduct a full review of Orion logs: click, to determine the impact on the environment and the company.
- There is no “easy check” to determine if your environment has been breached or not.
- Review, configure and harden SolarWinds Orion platform: click
- Upgrade to the latest SolarWinds release 2020.2.1 HF2, released on December 15th by going to the SolarWinds Control Portal click.
- Block public access for SolarWinds application.
- Additionally, companies should block these IPs and Domains on the firewall. click & click.
- Also, add the hash values to any Endpoint Protection tools that you’re currently using.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
- https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
- https://cyber.dhs.gov/ed/21-01/
- https://github.com/fireeye/sunburst_countermeasures
If you have any questions, please contact our Security Operations Center.
