Threat Advisory: SolarWinds Orion versions 2019.4 -2020.2.1 Software Supply Chain Attack
December 14, 2020
During the evening of December 13th, 2020 it was announced that for several months, emails and other sensitive materials on the SolarWinds Orion network have been exfiltrated by sophisticated, nation-state hackers . Mandiant has classified the attack with a neutral tag of UNC2452 (Uncategorized 2452) while other sources are alleging this activity is attributable to APT29/Cozy Bear and have reason to believe that this attack is related to the FireEye compromise that was announced last week . At this time, The US treasury, and the National Telecommunications and Informations Administration are confirmed victims of this attack. As more information continues to be released, there may be additional disclosure of additional government agencies who may have been targeted by this attack as well.
The compromise is believed to have occurred in the spring of 2020 (on updates released between March and June), when the threat actors compromised the automatic software update of SolarWinds. SolarWinds has stated it will release an update (2020.2.1 HF 2) on December 15 to mitigate this attack vector by replacing “the compromised component and [provide] several additional security enhancements." SolarWinds and Microsoft both have stated they have contacted clients they believe are impacted by this attack and Microsoft has updated detections for this attack in Microsoft Defender with the name "Behavior:Win32/Solorigate.C!dha"
Since the code was added to the SolarWinds DLL, the code signature belongs to SolarWinds thus appeared legitimate and was able to evade detection: (53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7).
According to FireEye, targeted sectors include “government, consulting, technology, telecom [natural resource extraction] in North America, Europe, Asia and the Middle East.” And FIreEye “[anticipates] there are additional victims in other countries [and sectors]" 
Herjavec Group highly recommends following guidance provided by SolarWinds to update to SolarWinds patch 2020.2.1 HF 2 as soon as patch testing and deployment allows.
Additionally, the DHS has issued an emergency directive for all agencies that must adhere to FISMA:
CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:
- Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems.
- High potential for a compromise of agency information systems
- Grave impact of a successful compromise.
Their instructions include
Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
CISA understands that the vendor is working to release a patch.
If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions, and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.
For more information on Threat Advisories, our Managed Security Services and SOC Operations, Security Engineering, or Incident Response, please connect with a security specialist.
|SUNBURST||292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712||OrionImprovementBusinessLayer.2.cs||Decompiled and corrected source code for SUNBURST|
|Code Signing Certificate||53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7||Solarwinds Worldwide, LLC||Legitimate SolarWinds code-signing certificate|
|DGA Domain||[.]avsvmcloud[.]com||DGA domain that C2 subdomains have been observed being created under||https://www.virustotal.com/gui/domain/avsvmcloud.com/relations|
- I. Alonzo, “US Treasury, NTIA Hacked—Russia’s APT29 ‘Cozy Bear’ Breaches e-mails and MORE!,” Tech Times, Dec. 13, 2020. https://www.techtimes.com/articles/255007/20201213/treasury-ntia-hacked—russias-apt29-cozy-bear-breaches-e-mails-more.htm (accessed Dec. 14, 2020).
- E. T. O’Brien | AP Frank Bajak and Matt, “US agencies hacked in monthslong global cyberspying campaign,” Washington Post.
- “Security Advisory | SolarWinds.” https://webcache.googleusercontent.com/search?q=cache:https://www.solarwinds.com/securityadvisory&strip=0&vwsrc=0 (accessed Dec. 14, 2020).
- “Behavior:Win32/Solorigate.C!dha threat description - Microsoft Security Intelligence.” https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132 (accessed Dec. 14, 2020).
- “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor,” FireEye. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html (accessed Dec. 14, 2020).
- “cyber.dhs.gov - Emergency Directive 21-01.” /ed/21-01/ (accessed Dec. 14, 2020).