SolarWinds Orion: Fixes Aim to Block Sunburst and SupernovaBoth Strains of Malware Among Multiple Tactics Being Used by Supply Chain Attackers
Security software vendor SolarWinds has updated multiple versions of its Orion network monitoring platform to remove the Sunburst backdoor that was added to its code as part of a massive supply chain attack. The updates also block Supernova malware that attackers installed by exploiting a flaw in Orion. But incident response experts have warned that full cleanup may take years.
"SolarWinds asks all Orion platform customers to update their Orion platform software as soon as possible to help ensure the security of your environment," the company said in a recently issued security advisory.
SolarWinds says that nearly 18,000 of its customers may have been running a Trojanized version of Orion, which it inadvertently issued from March through June. The backdoor was found and first detailed publicly on Dec. 13 by cybersecurity firm FireEye, which itself was a victim of the attacks (see: SolarWinds Attack: 'This Hit the Security Community Hard').
The updated Orion software includes hotfixes that the company says are designed to protect against both the Sunburst backdoor that was added to its Orion software, as well as newly disclosed malware called Supernova, which was deployed after attackers targeted flaws in the Orion software.
SolarWinds says the Sunburst backdoor was inserted into the following versions of Orion:
- 2019.4 HF 5
- 2020.2 - with no hotfix installed
- 2020.2 HF 1
SolarWinds says these versions of Orion have been designed to protect customers against both Sunburst and Supernova:
- 2019.4 HF 6 - released Dec. 14
- 2020.2.1 HF 2 - released Dec. 15
- 2019.2 Supernova patch - released Dec. 23
- 2018.4 Supernova patch - released Dec. 23
- 2018.2 Supernova patch - released Dec. 23
"You only need to upgrade if you're running one of the impacted versions," says Kevin Thompson, president and CEO of SolarWinds, in a video message to customers. "Our support organization is ready to assist you as we continue to work through this incident."
SolarWinds says that it first learned that its Orion software had been subverted on Dec. 12, after a tipoff from FireEye. "The vulnerability was not evident in the Orion Platform products’ source code but appears to have been inserted during the Orion software build process," the company says in an 8-K filing to the U.S. Securities and Exchange Commission.
"We swiftly released hotfix updates to impacted customers that we believe will close the code vulnerability when implemented," SolarWinds says. "These updates were made available to all customers we believe to have been impacted, regardless of their current maintenance status. We have reached out and spoken to thousands of customers and partners in the past few days, and we will continue to be in constant communication with our customers and partners to provide timely information, answer questions and assist with upgrades."
'Malicious Cloud Access'
The U.S. National Security Agency has warned that the group behind the Orion supply chain attack has been using a variety of tactics to access victims' systems, including stealing Azure Active Directory credentials and access tokens.
"Initial access can be established through a number of means, including known and unknown vulnerabilities," the NSA says. "The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access."
Another method was the Supernova malware, which is comprised of two components: "A malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the Orion platform," together with an Orion exploit, which enables attackers to place the malicious DLL on a victim's system, SolarWinds says.
"The latest updates were designed to remediate this vulnerability in all supported versions of the Orion platform," the company adds. For anyone unable to immediately update to a patched version, the company has also released a script, available via its security advisory, "that customers can install to temporarily protect their environment against the Supernova malware."
Using Sunburst, attackers in some cases then installed Teardrop, which they could use to push additional malware to systems, exfiltrate data and more. FireEye estimates that attackers likely only focused on about 50 high-value targets.
Separately, Microsoft says that, as part of its investigation into the supply chain attack, it's identified 40 of its own customers who appear to have been victims of a second-stage attack.
"We've been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation-state. But we have not independently verified the identity of the attacker," SolarWinds' Thompson says.
Microsoft, FireEye and domain registrar GoDaddy on Dec. 16 reported that they had successfully blocked attackers' access to at least some endpoints running Trojanized versions of Orion, after they seized a command-and-control domain used by the malware and sinkholed it.
Using a tool built by Chinese firm RedDrip Team, security researchers have been able to crack domain name system logs recovered from some command-and-control - aka C2 - servers to identify some organizations that were subject to first-stage attacks.
Those organizations include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations, among many others.
The U.S. government is a large SolarWinds customer, and the National Institutes of Health, as well as the Commerce, Homeland Security, State and Energy departments, reportedly were running Trojanized versions of Orion.
Another victim was the Treasury Department, with one lawmaker reporting that it suffered a "significant" breach starting in July, involving attackers compromising at least dozens of the Treasury's Office 365 email inboxes.
Attackers Targeted CrowdStrike
Also targeted was CrowdStrike, which says it was warned by Microsoft on Dec. 15 that infrastructure used by one of its resellers, who manages CrowdStrike’s Microsoft Office licenses, was found to have been "making abnormal calls to Microsoft cloud APIs during a 17-hour period, several months ago," and that there had also been an attempt to read CrowdStrike's email, which appeared to have failed. "As part of our secure IT architecture, CrowdStrike does not use Office 365 email," the company says, noting that both Microsoft's and its own investigation found no signs that CrowdStrike's environment had been breached.
While CrowdStrike has not attempted to attribute the attempted hacking, multiple experts say it appears to be part of the Orion supply chain attack (see: Microsoft Warned CrowdStrike of Possible Hacking Attempt).
More recently, CrowdStrike has released a free tool, CrowdStrike Reporting Tool for Azure, which it says "will help organizations quickly and easily review excessive permissions in their Azure Active Directory environments, help determine configuration weaknesses, and provide advice to mitigate risk." It says the tool can be used to help identify any and all third parties with access to an organization's Azure environment, so that access can be locked down.
"It is critical to ensure you review your partner/reseller access, and you mandate multi-factor authentication for your partner tenant if you determine it has not been configured," CrowdStrike says. "One of the reasons why these attack vectors are so difficult to mitigate is the inherent complexities that organizations face with federated SSO (single sign-on) infrastructure and in managing Azure tenants."
CISA's cloud forensics team has also released a free PowerShell tool, called "Sparrow.ps1," designed to help incident responders detect what it calls "unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment," tied to this particular attack campaign.
FireEye says that the first stage of the Sunburst attack involved the malware encrypting the victim's Active Directory domain names and then routing them to attackers.
"This means that any system where the backdoor is present may have started trying to contact DNS servers where an attacker could then activate the backdoor to begin active C2 communications," FireEye says in a Thursday blog post. "In most cases this did not occur and backdoors for non-targets were disabled by the operator."
While the C2 communications have now been sinkholed, for up to nine months prior, attackers could have already used Sunburst to gain access to endpoints and to create alternate methods of connecting to victims' systems.
Serious Incident Response Challenge
Because attackers may have enjoyed complete access to victims' networks, incident response experts say cleanup efforts may be substantial. In particular, victims "may need to rebuild all network assets" being monitored by the software, the U.S. Cybersecurity and Infrastructure Security Agency warns.
"Don’t leave any stone unturned," Sean Koessel, head of professional services at memory forensics firm Volexity, told Reuters.
“I could easily see it taking half a year or more to figure out - if not into the years for some of these organizations,” Koessel said.
Earlier this month, Volexity detailed a long-running attack campaign against an unnamed U.S. think tank, which it said was targeted with three waves of attacks by the same attack group, with the third wave involving Sunburst.
Officials Blame Moscow
U.S. Secretary of State Mike Pompeo and recently retired Attorney General Bill Barr have suggested that Russia is responsible for the supply chain attack, with multiple other experts pointing to its foreign intelligence service, or SVR, as the mostly likely culprit. No evidence has been published to back up those assertions.
"The question I think we still don't have all the answers to is: Who was their target group?" says retired Gen. Keith Alexander, president of IronNet Cybersecurity, who previously directed the NSA and U.S. Cyber Command.
Moscow denies any involvement.
SolarWinds Promises Security Overhaul
Following the attacks, SolarWinds says it's brought in numerous experts to help shore up its systems and adopted CrowdStrike's Falcon Endpoint Protection Platform "across the endpoints on our systems."
SolarWinds' CEO says his company has also been sharing information with security researchers since the attack was discovered.
"We shared all of our proprietary code libraries that we believed to have been affected by Sunburst to give security professionals the information they needed to do their research," Thompson says. "We also have had numerous conversations with security professionals to further assist them in their research."
SolarWinds' stock value is down 35% since the beginning of the month. Even so, few companies that get breached suffer any long-term consequences (see: Cynic's Guide to the Equifax Breach: Nothing Will Change).