SolarWinds Orion Compromise
This threat report is about the SolarWinds Orion platform compromise and contains information pertinent to security operations teams that have the specific version of SolarWinds Orion deployed in their environment.
SolarWinds Orion is a widely-deployed IT management and monitoring platform used by IT organizations across many industries. The supply chain nature of the attack is serious and represents a critical risk to organizations with Orion deployed within their environment. The Department of Homeland Security has mandated all Federal Agencies immediately disconnect compromised Orion infrastructure from their network and perform forensic analysis to determine the scope of further persistent access.
Tactics, Techniques, Procedures
While investigation into this compromise is still ongoing, here’s what is known:
- In or before March, 2020, nation-state attackers were able to compromise SolarWinds and inject malicious code into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
- This update contains a trojanized DLL (SolarWinds.Orion.Core.BusinessLayer.dll) which creates a backdoor that communicates via HTTP with remote attackers
- After a dormant period, the trojan attempts to resolve a subdomain of avsvmcloud[.]com
- The DNS response returned points the compromised system to command and control infrastructure which is then used to further compromise the victim
The currently known command and control infrastructure can be found here.
NOTE:
While Avertium does utilize some SolarWinds software, we DO NOT have Orion platform components installed in either our corporate infrastructure or customer environments.
We have updated our threat intelligence platforms to detect activity associated with these indicators of compromise.
How to Determine Your Exposure to this Compromise
- Check which version of SolarWinds Orion you have installed by following these instructions from SolarWinds
- To determine what hotfixes you have installed, follow these SolarWinds instructions
If a Compromised Version of Orion is Present...
Teams that have a compromised version of Orion installed in the environment:
- Immediately report this to your MSSP AND
- Immediately disconnect the infrastructure from your environment
- Upgrade to Orion Platform version 2020.2.1 HF 1 and hotfix release, 2020.2.1 HF 2
- Determine through forensic analysis whether further persistent access was gained
- Perform vulnerability sweep with enriched threat intelligence
- Perform threat hunt
- Activate incident response plan if exposure is confirmed
We recognize the graveness of this latest attack and are here to help. If you are a current Avertium customer and believe your organization has been exposed, please contact your representative. If you aren’t yet an Avertium customer, please call us on our 24-hour hotline at 877-707-7997 option 4 or contact us here.