SolarWinds has issued a security advisory urging customers to update to version 2020.2 HF 1 of its Orion Platform. It will also be releasing an additional hotfix 2020.2.1 HF 2 on Tuesday, December 15th. The advisory comes as cybersecurity company FireEye publishes its threat research on the Sunburst backdoor.
The trojan is believed to have been the cause of the FireEye breach that is announced last week. It is also suspected of being behind the breach of several US Government departments, a story that began to break on Sunday night via Reuters (subscription required).
How is SolarWinds involved?
According to FireEye: “SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.”
According to the FireEye report, Sunburst is distributed through the SolarWinds update process. The supply chain attack allows the attackers to send malicious updates to SolarWinds customers. FireEye claims the original compromise was in Spring 2020. It also claims that several trojanised updates were digitally signed and sent to customers between March and May 2020. Importantly, this attack is ongoing, which means there may be other malicious updates not yet detected.
If this is the case, it is likely linked to CVE-2020-13912 published on June 7th which reads: “SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.”
FireEye reports that once installed, Sunburst sits dormant for two weeks. This is almost certainly to allow it to become embedded in any backup processes. After that, FireEye says:
“It retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plug-in configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
One question that will now need to be answered is, why did SolarWinds not remediate this sooner?
Who is affected by Sunburst?
Anyone who uses the SolarWinds Orion Platform. On its website, SolarWinds has a partial listing of 98 customers and says its full user base includes:
- More than 425 of the US Fortune 500
- All ten of the top ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide
This size of customer base suggests that the impact of this attack may not be known for some time. It will take time for all these companies to start and conclude their own investigations. One company that has already reacted is Microsoft. It has issued a definitions update for Microsoft Defender to recognise the SolarWinds DLL.
Enterprise Times: What does this mean?
When FireEye was breached last week, it said it was the victim of a highly sophisticated state-sponsored attacker. In statements from various people linked to both the FireEye breach and the overnight SolarWinds announcement, it is believed that the attackers are Russian. Whether they are an offshoot of an existing group, a collaboration between existing groups or part of the GRU is not yet clear. However, they do at least have a name, UNC2452.
This is the first real data on the FireEye attack and what might have really happened. Other US publications have now followed up the reporting from Reuters. The general implication is that this attack was the foothold into systems that the attackers wanted. From there, they have deployed other tools to gather the data that was then exfiltrated.
One part of that attack is the claim they were able to monitor staff emails at the National Telecommunications and Information Administration (NTIA). This was done by breaking into the Microsoft Office 365 software that the NTIA uses. If confirmed, and at present Microsoft is refusing to comment, the attackers will have accessed a huge treasure trove of data.
For now, SolarWinds customers need to remediate and update urgently. It doesn’t matter that a new patch will drop tomorrow. The attackers are likely to respond to this weekend’s disclosures with a renewed effort to embed themselves before systems are patched.