SolarWinds Supply Chain Attack – Updated 12/18/2020

On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

What to do:
  • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
  • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
  • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
  • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
  • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
How did this happen:

SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

Technical Details:
  • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
  • Further communications with the C2 server masquerade as SolarWinds API traffic.
  • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
  • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
  • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
  • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

Updates

December 18, 2020

Who was affected:

In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

[1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

[2] https://github.com/bambenek/research/tree/main/sunburst

Raxis X logo as document separator
Solarwinds