SolarWinds Orion Compromise

This threat report is about the SolarWinds Orion platform compromise and contains information pertinent to security operations teams that have the specific version of SolarWinds Orion deployed in their environment. 

SolarWinds Orion is a widely deployed IT management and monitoring platform used by IT organizations across many industries. The supply chain nature of the attack is serious and represents a critical risk to organizations with Orion deployed within their environment. The Department of Homeland Security has mandated all Federal Agencies immediately disconnect compromised Orion infrastructure from their network and perform forensic analysis to determine the scope of further persistent access. 

 

Tactics, Techniques, Procedures

While the investigation into this compromise is still ongoing, here’s what is known:

  • In or before March 2020, nation-state attackers were able to compromise SolarWinds and inject malicious code into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
  • This update contains a trojanized DLL (SolarWinds.Orion.Core.BusinessLayer.dll) which creates a backdoor that communicates via HTTP with remote attackers
  • After a dormant period, the trojan attempts to resolve a subdomain of avsvmcloud[.]com
  • The DNS response returned points the compromised system to command and control infrastructure which is then used to further compromise the victim

The currently known command and control infrastructure can be found here.

NOTE:

While Avertium does utilize some SolarWinds software, we DO NOT have Orion platform components installed in either our corporate infrastructure or customer environments.

We have updated our threat intelligence platforms to detect activity associated with these indicators of compromise.

How to Determine Your Exposure to this Compromise

 Even if you are not directly exposed, your critical vendors may be.  It is imperative to understand your third-party risk related to this incident.  Contact organizations in your supply chain.

If a Compromised Version of Orion is Present...

Teams that have a compromised version of Orion installed in the environment:

  • Immediately report this to your MSSP AND
  • Immediately disconnect the infrastructure from your environment
  • Upgrade to Orion Platform version 2020.2.1 HF 1 and hotfix release, 2020.2.1 HF 2
  • Determine through forensic analysis whether further persistent access was gained
  • Perform vulnerability sweep with enriched threat intelligence
  • Perform threat hunt
  • Activate incident response plan if exposure is confirmed

We recognize the graveness of this latest attack and are here to help. If you are a current Avertium customer and believe your organization has been exposed, please contact your representative.  If you aren't yet an Avertium customer, please call us on our 24-hour hotline at 877-707-7997 option 4 or contact us here. 

Sources

https://cyber.dhs.gov/ed/21-01/

https://www.solarwinds.com/securityadvisory

https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Chat With One of Our Experts



Threat Report supply chain security Tips & Tools Solarwinds orion compromise Threat Detection and Response Blog