December 15, 2020 By BlueAlly
As many as 300,000 businesses, organizations and government agencies could be at risk of compromise due to an attack exploiting vulnerabilities in SolarWinds’ Orion products. The threat actor behind the attack is believed to be APT29 (aka Cozy Bear), which primarily leverages a malware called SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform, an enterprise-grade IT monitoring solution.
SolarWinds confirmed the attack and has been providing routine updates to the situation.
According to Reuters, sources say the breaches are connected to a broad campaign that also involved the recently disclosed hack on U.S. cybersecurity company FireEye, whose customers include both government and commercial entities.
On Dec. 13, the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that malicious threat actors have been and are actively exploiting these vulnerabilities. Determining that the exploitation of SolarWinds products “poses an unacceptable risk,” CISA has issued an emergency directive instructing all federal agencies to disconnect affected devices immediately.
“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” the directive stated.
Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.
According to SolarWinds, its federal customers include all branches of the U.S. military, the Pentagon, the State Department, the National Security Agency, the Department of Justice and the Office of the President of the United States.
But its customer list also includes more than 425 of the U.S. Fortune 500, the top 10 U.S. telecom companies and the top five U.S. accounting firms. SonicWall has confirmed it is not using a vulnerable SolarWinds Orion product and is not impacted by this threat.
What is SUNBURST?
FireEye says these attacks have already been observed worldwide, targeting government entities, technology companies, telecoms and consulting firms in North America, Europe, Asia and the Middle East — and it expects there are additional victims across other industries and countries.
The threat actor leverages a malware commonly called SUNBURST in what’s known as a manual supply-chain attack.
According to FireEye, the threat actor was able to hide malicious code in software updates provided to Orion customers, and through these trojanized updates, gain a foothold in the network through which to gain elevated credentials. Once the group has gained initial access, the company said, it uses various techniques to disguise their operations as they move laterally and exfiltrate data.
Which SolarWinds customers are impacted?
SolarWinds has asked impacted customers using Orion versions 2019.4 through 2020.2 HF1 to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1.
An additional hotfix release, 2020.2.1 HF2, is anticipated to be made available on Dec. 15 that will both replace the compromised component and provide several additional security enhancements. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.
SonicWall helps mitigate malicious activity against SolarWinds Orion
SonicWall Capture Labs threat researchers have investigated the vulnerability and published four Intrusion Prevention Signatures (IPS) that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect and notify administrators if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions:
- 15292: BACKDOOR SolarWinds Supply Chain Malware Activity 1
- 15293: BACKDOOR SolarWinds Supply Chain Malware Activity 2
- 15294: BACKDOOR SolarWinds Supply Chain Malware Activity 3
- 15295: BACKDOOR SolarWinds Supply Chain Malware Activity 4
- 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
- 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)
SonicWall products and real-time security services can help organizations identify SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.
To verify you have the latest SonicWall IPS, please follow the steps in this knowledgebase (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/