Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)

$
0
0

Nation-state threat actors breached the supply chain of a popular IT management software provider in order to infiltrate government agencies and private companies.

Update December 16: The Solution and Identifying Affected Systems sections have been updated to reflect the availability of Hotfix 2 and a new Tenable plugin.

Background

On December 13, several news outlets, including Reuters, The Washington Post and The Wall Street Journal, reported that multiple U.S. government agencies were the victims of a significant breach reportedly linked to hackers associated with a nation-state. Additional reporting has since confirmed a direct connection between this breach and last week's breach of cybersecurity firm FireEye.

According to a tweet from Dustin Volz, reporter for The Wall Street Journal, the source of the breach was "a flaw in IT firm SolarWinds."

Following the publication of these news articles, additional information about the breach has since been made public.

Kim Zetter, a cybersecurity and national security journalist, tweeted details from a Threat Analyst Report (TAR) published by Microsoft. Microsoft is one of the firms tapped to assist in the FireEye breach investigation. Microsoft nicknamed the attack "Solorigate."

Additionally, FireEye has published a blog post providing a more detailed account regarding how the breach occurred, which includes a set of countermeasures that contains indicators of compromise (IOCs) such as a list of hashes, as well as Snort and YARA rules. FireEye refers to the backdoor as "SUNBURST."

On December 14, SolarWinds filed a Form 8-K with the U.S. Securities and Exchange Commission that sheds light on the potential impact from this incident. In the 8-K, SolarWinds says it believes the number of customers with an active installation of Orion products containing this backdoor is "fewer than 18,000."

Analysis

According to the Microsoft TAR and the FireEye blog post, a "highly sophisticated" adversary managed to breach the supply chain of SolarWinds, a company that develops IT infrastructure management software, resulting in the placement of malicious code inside of the company's Orion Platform software builds.

The backdoor resides in a dynamic-link library (DLL) file named SolarWinds.Orion.Core.BusinessLayer.dll. The file was digitally signed by SolarWinds with a valid certificate on March 24, meaning it would be trusted by the underlying operating system and would not raise any alarms.

The backdoored DLL file was seeded as part of SolarWinds software builds between March and June 2020, which are accessible via the SolarWinds website. Once an organization installed the malicious software update, the backdoored DLL file would remain in hibernation for a period of two weeks before beginning its operation. This is one of the stealthy elements of this operation. FireEye says in its blog post that the backdoor also managed to "blend in with legitimate SolarWinds activity" in order to evade detection.

For a detailed teardown of the DLL file, including the associated IOCs and network activity, we strongly encourage you to read FireEye's comprehensive blog post about the incident.

Reportedly, this operation has remained under the radar until last week. However, FireEye notes that the activity is "currently ongoing" and that it is "widespread, affecting public and private organizations around the world."

While details have only just emerged, we encourage organizations using the SolarWinds Orion Platform to assume their networks have been compromised and activate existing incident response plans, work with your in-house information security teams or partner with an organization that conducts incident response to identify the impact to your organization.

Solution

SolarWinds has published a security advisory regarding this incident. According to the company, the following build versions of its Orion Platform software are affected.

VersionsRelease Date
2019.4 HF 5 through 2020.2 with no hotfixMarch 2020 through June 2020
2020.2 HF 1June 2020 through July 2020*

* SolarWinds did not specify which versions of 2020.2 Hotfix 1 were affected, so we have provided the entire release date window for all versions of 2020.2 Hotfix 1.

SolarWinds specifically calls out the following products in its Orion Platform that are known to be affected:

  • Application Centric Monitor (ACM)

  • Enterprise Operations Console (EOC)

  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • Network Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)


As part of its advisory, SolarWinds recommends organizations using its Orion Platform upgrade to version 2020.2.1 HF 1. However, SolarWinds notes that it plans to release a second hotfix, 2020.2.1 HF 2 on Tuesday, December 15. This version is now available and can be obtained from the SolarWinds customer portal.

This second hotfix will replace the compromised DLL component with the genuine DLL component as well as include "several additional security enhancements."

If upgrading to the latest hotfix version is not feasible for your organization, SolarWinds has provided a link to a document about securing the configuration for the Orion Platform.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 on December 13, which provides guidance to Federal Civilian Executive Branch agencies regarding this incident.

Identifying affected systems

Tenable customers can utilize our existing detection plugin to identify all of the SolarWinds Orion assets in your environment. We have also released a local, agent compatible detection plugin.

Additionally, a new version check plugin was released to help identify impacted versions of SolarWinds in your environment. 

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.


Viewing all articles
Browse latest Browse all 1935

Trending Articles