The Cybersecurity and Infrastructure Security Agency (CISA) gave an alert regarding the active exploitation of SolarWinds Orion IT monitoring and management software by sophisticated hackers. It is believed that the group behind the cyberattack is the highly sophisticated, elusive, nation-state hacking group that created a Trojanized version of the Orion software. That software program was used to deploy a backdoor into the systems of customers known as SUNBURST.
The supply chain attack has affected about 18,000 customers, who have downloaded the Trojanized version of SolarWinds Orion as well as the SUNBURST backdoor. Big public and private companies and government departments use SolarWinds Orion.
Among the users of SolarWinds are the five branches of the U.S. military, the State Department, the Pentagon, the National Security Agency and NASA. There are also about 425 big publicly traded U.S. firms that use its solutions. Organizations that have been under cyberattack include the US National Telecommunications and Information Administration (NTIA), the US Treasury, and Department of Homeland Security. The cybersecurity firm FireEye that first detected the cyberattack was also attacked.
The attacks began with the introduction of the first malicious versions of the Orion software last spring 2020. It is believed that the hackers were present in the breached networks since then. It took so long to identify the threat because the malware is elusive. According to FireEye, the malware covers up its network traffic as the Orion Improvement Program (OIP) protocol and keeps reconnaissance results within legitimate plugin configuration files enabling it to merge with valid SolarWinds activity. As soon as the backdoor is installed, the attackers move laterally and perform data theft.
The hackers obtained access to the software development environment of SolarWinds and put the backdoor code in the library of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released from March 2020 up to June 2020.
CISA gave an Emergency Directive instructing all federal civilian agencies to block attacks by quickly disconnecting from networks or shutting down SolarWinds Orion software versions 2019.4 through 2020.2.1 HF1. The agencies were also told not to “(re)connect the Windows host OS to the company domain.
All clients need to make prompt upgrades of their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. The second hotfix – 2020.2.1 HF 2 – will be available soon to replace the vulnerable component and apply additional security improvements.
If unable to quickly upgrade, follow the guidelines provided by SolarWinds to protect the Orion Platform. Companies must monitor for indicators of compromise. Microsoft already added the signatures of the backdoor to its antivirus products (other antivirus software too) to enable detection of the backdoor. Running a full scan is highly recommended.
SolarWinds, FireEye, the FBI, and the intelligence community are working together to look into the attacks. SolarWinds and Microsoft are also trying to get rid of an attack vector that results in the breach of targeted Microsoft Office 365 productivity products.
It is still uncertain which group is really behind the attack; but the Washington Post reported that some sources stated the Russian nation-state hacking group APT29 (Cozy Bear) conducted the attack but a spokesperson for the Kremlin denied it.