In what may well turn out to be one of the most significant supply-chain attacks in recent years, a likely nation-state backed group compromised systems at SolarWinds and inserted malware into updates of the company's widely used Orion network management products that were released between March and June 2020.
In total, about 33,000 of SolarWinds' 300,000 customers — which include numerous government agencies, 499 of the Fortune 500 companies, and over 22,000 managed service providers — could have potentially received the compromised software updates. Some 18,000 organizations worldwide may have actually installed the poisoned software on their systems, SolarWinds said in a SEC filing Monday.
The filing suggested that attackers might have initially broken into SolarWinds' systems by compromising the company's emails and using that to access other data in its Microsoft Office 365 environment.
Victims of the massive breach are believed to include the US Treasury Department, the National Telecommunications and Infrastructure Administration, and security vendor FireEye, which last week disclosed a breach involving the theft of the company's red team tools.
In a measure of the widespread concern the breach has stoked, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive Sunday urging all federal civilian agencies using SolarWinds' Orion products to immediately power down or disconnect the technology. The Emergency Directive, only the fifth since 2015, described the SolarWinds compromise as posing an unacceptable risk to the security of federal networks. It ordered all federal civilian agencies to provide a report to CISA no later than 12:00 p.m. Eastern Standard Time Monday showing that they had shut down the SolarWinds Orion technology on their networks.
In a security advisory, SolarWinds said software builds for versions 2019.4 HF 5 through 2020.1.1 of its Orion Platforms released between March and June this year were impacted in the breach. The company asked its customers to immediately upgrade to Orion Platform version 2020.2.1 HF 1 where possible. An additional hotfix released will likely be released on Dec 15, 2020, and the company released guidelines for organizations who cannot immediately apply the update.
"Infecting the legitimate software updates of a widely used vendor can be an effective way to covertly inject malware into a large number of organizations," says Hank Schless, senior manager of security solutions at Lookout. "If successful, this form of supply chain attack can be used to attack an entire industry in one swoop."
SolarWinds' recommendations for those who cannot immediately update are: ensure the Orion platform is installed behind firewalls, disable Internet access to the platform, and limit port access to only what is strictly necessary.
In its security advisory, FireEye described several methods for detecting post compromise activity on their networks. These include querying Internet-wide scan data for malicious IP addresses that might be masquerading as an organization's legitimate IP addresses and geolocating IP addresses that are used for remote access. That will identify compromised accounts that are being used from different locations. The security vendor also recommended that organizations "use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts."
FireEye, which discovered the breach, said the actors behind it, tracked as UNC2452, had trojanized SolarWinds' Orion business software updates to distribute malware FireEye has dubbed SUNBURST. Ben Read, senior manager analysis at FireEye's Mandiant group says UNC2452 is a distinct threat group that is not linked to any other tracked group at this time. The backdoor itself exists in a digitally signed component of the Orion software framework and is designed to communicate via HTTP to attacker-controlled servers.
According to FireEye, once installed on a system via the SolarWinds update, the malware lies dormant for up to two weeks before it begins retrieving and executing commands. Its capabilities include the ability to transfer and execute files, profile systems, disable system services, and to reboot an inected system.
"The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity," FireEye said. The malware uses multiple techniques to identify anti-virus and other malware detection tools.
FireEye CEO Kevin Mandia described the campaign as likely the work of a sophisticated state-sponsored threat actor with top-tier resourcing and operational skills. Some within the industry have pointed to Russian intelligence agencies as being behind the attacks.
The attackers appear to have gone to significant length to observe traffic on victim networks and to blend signs of their own activity into normal network activity, Mandia said in a blog. The security vendor has released indicators of compromise and signatures for detecting SUNBURST threat activity on its public GitHub page.
Matt Walmsley, EMEA director at Vectra, says the attackers likely manipulated Security Assertion Mark-up Language (SAML) authentication tokens used in Single Sign On to try and escalate privileges in the early stages of the campaign. They could have then used the illicitly gained privileges to move to SolarWinds' Microsoft 365 instance and use the built-in tools there to set up new privileged accounts, define email routing rules, conduct reconnaissance, gather data from SharePoint and OneDrive repositiores, and set up automated workflows for running such malicious activities autonomously.
"IT administrators and security teams have access to highly privileged credentials as part of their legitimate work," Walmsley says. "Attacking the digital supply chain of their software tools is an attempt to gain penetration and persistence right at the heart of their operations."
The SolarWinds breach is the not the first time that attackers have broken into a technology vendor's software update servers and used it to distribute malware. In 2018, attackers belonging to a malware campaign dubbed Operation ShadowHammer, broke into one such server belonging to Taiwanese hardware maker ASUS and used their access to distribute malware disguised as legitimate software updates to ASUS customers that had enabled automatic updates. Security vendor Kaspersky disclosed the breach in March 2019 and described it as impacting hundreds of thousands of ASUS users though it actually targeted only a very small percentage of them.
Security experts consider such attacks particularly dangerous because organizations often tend to treat patches, software updates, and other products from their technology vendors as trusted and secure. Very few actually go through the extra step of vetting updates or products from their trusted vendors for security issues, though experts have long cautioned they should.
Ayal Yogev, CEO of Anjuna Security, says the targeting of SolarWinds' Orion technology is significant because hundreds of thousands of organizations in government, banking, healthcare, and other critical industries use it to monitor their network.
"The technology is typically bought by network managers, and in many cases may be purchased online at a price that does not require standard software procurement practices," Yogev says.
In fact, many organizations may not even realize they have it, he says.
"The good news is that SolarWinds does not directly contain confidential information," he says. "The bad news is that it provides a map to many components in an enterprise that may have vulnerabilities."