Yesterday, news broke about an active exploitation using Solarwinds Orion software. Edafio is monitoring the threat, and we have contacted the clients running SolarWinds Orion to begin mitigation and further investigation.
What happened
An advanced attacker slipped some malicious code into an update of the widely used IT monitoring software “SolarWinds Orion” last March. When customers downloaded and applied this patch, the malicious software was also installed. Once installed, it stayed quiet for a bit and then discretely started to investigate the network and called home for further instructions. The malicious software could steal credentials and data and provide system access. While this happened back in the spring, it was only recently discovered, so anyone who was compromised has had this advanced attacker in their systems for months.
The news broke via an excellent investigation and disclosure from FireEye:
FireEye has uncovered a widespread campaign that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly-skilled actor, and the operation was conducted with significant operational security.
Recommendations
We echo the CISA Emergency Directive that the best course of action is to disconnect or power off Orion servers.
If this is not feasible, you should isolate the servers and significantly restrict network traffic while waiting for SolarWinds hotfixes to be issued.
Regardless these actions only address the attack vector. Further investigation into account activity and network traffic will need to be done to determine if an environment was actively compromised.
Please review the following links for more information. If, after reading these links, you have any questions or concerns, please contact our Edafio NOC or your Account Manager.
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST BackdoorCISA Emergency Directive 21-01:Mitigate SolarWinds Orion Code Compromise
- SolarWinds Security Advisory
- Microsoft Customer Guidance on Recent Nation-State Cyber Attacks