On December 8th, 2020 cybersecurity company FireEye announced they had been hacked. They announced that a "highly sophisticated threat actor" accessed its internal network and stole its highly valuable red team tools that FireEye uses to mimic a potential adversary’s attack. Within just a few days, the scope of the hack began to emerge. It was determined that multiple U.S. agencies were successfully targeted, including the departments of State, Treasury, Commerce, Energy and Homeland Security as well as the National Institutes of Health. As times went on, the number of organizations affected by the hack continued to grow.
While FireEye was researching the attack and analyzing over 50,000 lines of source code, they were able to determine there was a backdoor within the SolarWinds Orion product. The SolarWinds products are in roughly 90% of the Fortune 500, and in many federal agencies. FireEye's discovery that SolarWinds was the primary point of entry allowed them to alert their business partners and customers. This led to the disclosures by various federal agencies that they, too, had been breached by the same method.
The attacks originally started when SolarWinds networks were compromised by an outside threat actor, specifically their Orion platform update servers. SolarWinds Orion is an enterprise software suite that includes performance and application monitoring and network configuration management. Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for many network administrators to configure Orion with pervasive privileges, making it a valuable target for adversary activity. The SolarWinds tools were compromised using complex identity certificates, which allowed attackers to be able to forge identity and access into to other systems, eventually landing on core infrastructure, which was used to stage and ship software updates to customers of the Orion platform.
The SolarWinds Orion breach is considered a Supply Chain Attack, meaning that the actors didn't directly attack the various organizations such as US Government Agencies and security vendors, but rather attacked one or more platforms used by those organization to gain access to them indirectly. Once the bad actors had access to the SolarWinds update servers, they injected malicious code into one or more updates, which were then distributed to all users of Orion when they performed regular software updates/patching on the Orion system in their own environments.
This attack code, called Sunburst, compromised Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. Any organizations that has installed the malicious Orion update stemming back at least from Spring 2020 has had their systems compromised with this backdoor. The compromised system will after an initial dormant period, about 14 days, attempt to connect to a command and control (C&C) server, which is carefully constructed to mimic normal SolarWinds communication. At this point the attackers decided whether or not the organization is of interest, and decide whether to terminate or proceed in the attack. After this stage, if the actors decide you are of interest, they will move laterally to other assets. SolarWinds believes that only about 18,000 of its 300,000 Orion customers have been impacted by the update.
SolarWinds released a new update (2020.2.1 HF 2) which replaces the compromised component and provides several additional security enhancements to the code. That said, if you are using SolarWinds Orion, it's best to assume compromise until more is known and determined if any additional products or code was compromised. Attempt to implement a Zero Trust posture, limit unnecessary access to the internet, blacklist the known C&C domains, and update your existing security tools. Many tools, including core products like firewalls and endpoints, have been updated to identify the indicators of compromise (IOCs) of Sunburst, and will now identify and block Sunburst from getting onto, or leaving your network. Additionally, tools like Vulnerability Scanners can identify SolarWinds products in your network and let you know if you are vulnerable to Sunburst, and with the addition of Breach & Attack Simulation tools, you can test your security controls, validate your security posture, and determine if you would have fallen victim to Sunburst.
You can find additional tools, resources, and Ingram Micro contacts on our Security Line Card