Threat Advisory: SolarWinds Orion versions 2019.4 -2020.2.1 Software Supply Chain Attack

December 14, 2020

During the evening of December 13th, 2020 it was announced that for several months, emails and other sensitive materials on the SolarWinds Orion network have been exfiltrated by sophisticated, nation-state hackers [1]. Mandiant has classified the attack with a neutral tag of UNC2452 (Uncategorized 2452) while other sources are alleging this activity is attributable to APT29/Cozy Bear and have reason to believe that this attack is related to the FireEye compromise that was announced last week [2]. At this time, The US treasury, and the National Telecommunications and Informations Administration are confirmed victims of this attack. As more information continues to be released, there may be additional disclosure of additional government agencies who may have been targeted by this attack as well.

The compromise is believed to have occurred in the spring of 2020 (on updates released between March and June), when the threat actors compromised the automatic software update of SolarWinds. SolarWinds has stated it will release an update (2020.2.1 HF 2) on December 15 to mitigate this attack vector by replacing “the compromised component and [provide] several additional security enhancements."[3] SolarWinds and Microsoft both have stated they have contacted clients they believe are impacted by this attack and Microsoft has updated detections for this attack in Microsoft Defender with the name "Behavior:Win32/Solorigate.C!dha"[4]

Since the code was added to the SolarWinds DLL, the code signature belongs to SolarWinds thus appeared legitimate and was able to evade detection: (53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7).

According to FireEye, targeted sectors include “government, consulting, technology, telecom [natural resource extraction] in North America, Europe, Asia and the Middle East.” And FIreEye “[anticipates] there are additional victims in other countries [and sectors]" [5]

Herjavec Group highly recommends following guidance provided by SolarWinds to update to SolarWinds patch 2020.2.1 HF 2 as soon as patch testing and deployment allows.

Additionally, the DHS has issued an emergency directive for all agencies that must adhere to FISMA:

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

- Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems.

- High potential for a compromise of agency information systems

- Grave impact of a successful compromise.

Their instructions include
Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.

CISA understands that the vendor is working to release a patch.

If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions, and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

For more information on Threat Advisories, our Managed Security Services and SOC Operations, Security Engineering, or Incident Response, please connect with a security specialist.

Appendix

Malware FamilySHA256FILENAMERole
SUNBURSTd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.mspInstaller
SUNBURST019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134SolarWinds.Orion.Core.BusinessLayer.dllbackdoor
SUNBURSTce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6SolarWinds.Orion.Core.BusinessLayer.dllbackdoor
SUNBURST32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77SolarWinds.Orion.Core.BusinessLayer.dllbackdoor
SUNBURST292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712OrionImprovementBusinessLayer.2.csDecompiled and corrected source code for SUNBURST
SUPERNOVAc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71app_web_logoimagehandler.ashx.b6031896.dllWebshell
Code Signing Certificate53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7Solarwinds Worldwide, LLCLegitimate SolarWinds code-signing certificate
DGA Domain[.]avsvmcloud[.]comDGA domain that C2 subdomains have been observed being created underhttps://www.virustotal.com/gui/domain/avsvmcloud.com/relations

References

  1. I. Alonzo, “US Treasury, NTIA Hacked—Russia’s APT29 ‘Cozy Bear’ Breaches e-mails and MORE!,” Tech Times, Dec. 13, 2020. https://www.techtimes.com/articles/255007/20201213/treasury-ntia-hacked—russias-apt29-cozy-bear-breaches-e-mails-more.htm (accessed Dec. 14, 2020).
  2. E. T. O’Brien | AP Frank Bajak and Matt, “US agencies hacked in monthslong global cyberspying campaign,” Washington Post.
  3. “Security Advisory | SolarWinds.” https://webcache.googleusercontent.com/search?q=cache:https://www.solarwinds.com/securityadvisory&strip=0&vwsrc=0 (accessed Dec. 14, 2020).
  4. “Behavior:Win32/Solorigate.C!dha threat description - Microsoft Security Intelligence.” https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132 (accessed Dec. 14, 2020).
  5. “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor,” FireEye. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html (accessed Dec. 14, 2020).
  6. “cyber.dhs.gov - Emergency Directive 21-01.” /ed/21-01/ (accessed Dec. 14, 2020).

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn