On December 8th, 2020 cybersecurity company FireEye announced they had been hacked. They announced that a "highly sophisticated threat actor" accessed its internal network and stole its highly valuable red team tools that FireEye uses to mimic a potential adversary’s attack. Within just a few days, the scope of the hack began to emerge. It was determined that multiple U.S. agencies were successfully targeted, including the departments of State, Treasury, Commerce, Energy and Homeland Security as well as the National Institutes of Health. As times went on, the number of organizations affected by the hack continued to grow. 

While FireEye was researching the attack and analyzing over 50,000 lines of source code, they were able to determine there was a backdoor within the SolarWinds Orion product. The SolarWinds products are in roughly 90% of the Fortune 500, and in many federal agencies. FireEye's discovery that SolarWinds was the primary point of entry allowed them to alert their business partners and customers. This led to the disclosures by various federal agencies that they, too, had been breached by the same method. 

The attacks originally started when SolarWinds networks were compromised by an outside threat actor, specifically their Orion platform update servers. SolarWinds Orion is an enterprise software suite that includes performance and application monitoring and network configuration management. Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for many network administrators to configure Orion with pervasive privileges, making it a valuable target for adversary activity. The SolarWinds tools were compromised using complex identity certificates, which allowed attackers to be able to forge identity and access into to other systems, eventually landing on core infrastructure, which was used to stage and ship software updates to customers of the Orion platform. 

​The SolarWinds Orion breach is considered a Supply Chain Attack, meaning that the actors didn't directly attack the various organizations such as US Government Agencies and security vendors, but rather attacked one or more platforms used by those organization to gain access to them indirectly. Once the bad actors had access to the SolarWinds update servers, they injected malicious code into one or more updates, which were then distributed to all users of Orion when they performed regular software updates/patching on the Orion system in their own environments.

This attack code, called Sunburst, compromised Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. Any organizations that has installed the malicious Orion update stemming back at least from Spring 2020 has had their systems compromised with this backdoor. The compromised system will after an initial dormant period, about 14 days, attempt to connect to a command and control (C&C) server, which is carefully constructed to mimic normal SolarWinds communication. At this point the attackers decided whether or not the organization is of interest, and decide whether to terminate or proceed in the attack. After this stage, if the actors decide you are of interest, they will move laterally to other assets. SolarWinds believes that only about 18,000 of its 300,000 Orion customers have been impacted by the update.

SolarWinds released a new update (2020.2.1 HF 2) which replaces the compromised component and provides several additional security enhancements to the code. That said, if you are using SolarWinds Orion, it's best to assume compromise until more is known and determined if any additional products or code was compromised. Attempt to implement a Zero Trust posture, limit unnecessary access to the internet, blacklist the known C&C domains, and update your existing security tools. Many tools, including core products like firewalls and endpoints, have been updated to identify the indicators of compromise (IOCs) of Sunburst, and will now identify and block Sunburst from getting onto, or leaving your network. Additionally, tools like Vulnerability Scanners can identify SolarWinds products in your network and let you know if you are vulnerable to Sunburst, and with the addition of Breach & Attack Simulation tools, you can test your security controls, validate your security posture, and determine if you would have fallen victim to Sunburst.

You can find additional tools, resources, and Ingram Micro contacts on our Security Line Card

---

Arctic Wolf

• Arctic Wolf Solar Winds Response

Bitdefender

• Bitdefender’s Response to FireEye and SolarWinds Breaches and Recommendations for Organizations

Check Point

• SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected
• Best Practice: Identifying And Mitigating The Impact Of Sunburst

Cisco

• Threat Advisory: SolarWinds supply chain attack

Cymulate

• What Do I Need to Know About the SolarWinds Attack?

FireEye​

• Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
• FireEye SunBurst Countermeasures

​Fortinet

• What We Have Learned So Far about the “Sunburst”/SolarWinds Hack

IBM

• Update on Widespread Supply-Chain Compromise

McAfee

• SUNBURST Malware and SolarWinds Supply Chain Compromise
• McAfee coverage for SolarWinds Sunburst Backdoor

Microsoft

• Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers​​
  

Palo Alto

• Threat Brief: SolarStorm and SUNBURST Customer Coverage

RSA

• RSA Response to SolarWinds/FireEye Attacks

Skout​

• Cybersecurity Threat Advisory 0068-20: FireEye Breach​
• Cybersecurity Threat Advisory 0069-20: SolarWinds Orion Backdoor

SonicWALL

• Massive Supply-Chain Attack Targets SolarWinds Orion Platform

SolarWinds​​

• SolarWinds Security Advisory
• SolarWinds Orion Hotfix
• SolarWinds Orion Version Check

Sophos

• Solarwinds Breach: Everything You Need To Know
• Sophos Incident response playbook for responding to SolarWinds Orion compromise

Tenable

• Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)

​Trend Micro

• ​SECURITY ALERT: Sunburst (SolarWinds) Targeted Attack Detection and Investigation with Trend Micro Products