Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM
Connect Directly

Concerns Run High as More Details of SolarWinds Hack Emerge

Enterprises running company's Orion network management software should assume compromise and respond accordingly, security experts say.

News this week about a likely Russia-based threat actor infecting thousands of organizations with malware delivered via seemingly legitimate software updates of their Orion network management product from SolarWinds has stoked broad concerns across many fronts.

The concerns are particularly high because victims of the campaign reportedly include the US Treasury Department, the Department of Homeland Security, the State Department, the Justice Department, and potentially entities from all five branches of the US military. Among others believed affected are numerous Fortune 500 companies — SolarWinds counts 499 of them as its customers.

Related Content:

18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 2021 Security Budgets: Top Priorities, New Realities

Security vendor FireEye uncovered the SolarWinds campaign when investigating a breach of its own network recently that resulted in several of its offensive hacking tools being stolen. As expected, the targeted attack has once again focused attention on the long-standing issue of supply chain and third-party security. It has also raised alarm about the extent to which Russian advanced persistent threat (APT) actors and threat actors from other countries may have insinuated themselves into, and are lurking on, US critical infrastructure and networks, ready to activate at a moment's notice.

Broad Impact
Network management products like Orion "have wide-ranging visibility and permissions across networked devices," says Mark Carrigan, chief operating officer at industrial security vendor PAS Global.

In the industrial sector, hackers may be able to leverage the technology to gain access to business-critical industrial control system environments and move laterally across networked systems in order to steal data on industrial processes, chemical formulas, and other sensitive data.

Attackers could use their access to disrupt operations, causing production stoppages or, worse, safety and environmental incidents, Carrigan says. "Given the attribution of the attack to an advanced persistent threat backed by a major nation-state, it is likely that the hackers would have access to the necessary knowledge of industrial control system environments to exploit common 'insecure by design' practices," he warns.

FireEye says its investigation shows the threat actor, which it's tracking as UNC2452, inserted a backdoor dubbed SUNBURST into a digitally signed component of SolarWind's Orion network management product. The malware was concealed in legitimate updates to Orion that SolarWinds distributed between March and June of this year.

SolarWinds says its investigation shows the updates were sent to about 33,000 of its approximately 300,000 customers worldwide. Some 18,000 of them downloaded the software, but it remains unclear how many of those organizations were actually targeted. The vendor released a patched version of its affected software on Monday and said an additional hotfix would be released on Dec. 15. However, as of late afternoon Dec. 15, that hotfix doesn't appear to have been released.

FireEye's analysis of post-compromise activity showed that the SUNBURST malware lays dormant on victim systems for two weeks while it profiles the network and looks for malware detection mechanisms. Once active, the malware — which is actually a dropper — reaches out to remote, attacker-controlled systems to download additional payloads, one of which is Cobalt Strike's Beacon agent. Malware traffic is designed to blend in with legitimate SolarWinds activity, and the code itself hides in plain sight by using fake names and tying into legitimate components, FireEye says.

The Unknown Threat Actor
The security vendor has described UNC2452 as a threat actor that it has not encountered previously. FireEye has released indicators of compromise (IoCs) and signatures so organizations can detect the threat. But so far it has not publicly, at least, attributed the attack to any specific nation-state sponsor. Numerous media reports, however, have pinned the campaign on APT29, or Cozy Bear, a group thought to be associated with Russia's intelligence apparatus.

Paul Prudhomme, cyber-threat intelligence analyst at IntSights, says his firm has so far not been able to corroborate or independently verify the claimed attribution to state-sponsored Russian cyber-espionage groups. "But we do nonetheless find the claim credible and worthy of further consideration," he says.

The campaign is consistent with what IntSights has observed with state-sponsored Russian actors, including the targeting of the US government, the tight operational security, and the generally high level of sophistication and tradecraft involved. At the same time, "technology supply chain compromises of this kind are more typical of Chinese cyber-espionage groups than their Russian counterparts," Prudhomme says.

Meanwhile, security vendor Volexity said Monday that its analysis of the techniques, techniques, and procedures (TTPs) that FireEye released suggests the threat actor is a group that Volexity previously tracked as "Dark Halo." In a blog post, Volexity researchers described Dark Halo as a group they encountered while investigating three separate incidents at a US-based think tank in late 2019 and early this year. Volexity said it found multiple backdoors, malware implants, and tools that allowed Dark Halo to remain undetected on the think tank's network for multiple years.

Recommended Response
Security researchers this week stressed that just because an organization might have received tainted updates doesn't mean it was targeted. Even so, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to forensically image system memory and analyze stored network traffic for IoCs.

It has also ordered all agencies to disconnect and power down Orion instances, block traffic to and from hosts running any version of SolarWinds, and look for and remove threat actor-controlled accounts and persistence mechanisms. "Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed," CISA has noted.

Ben Johnson, former National Security Agency analyst and CTO and co-founder of Obsidian Security, says evidence of persistence and lateral movement will vary based on an organization's specific network architecture and configuration of its SolarWinds environment. "But you should immediately be investigating any logs you have — authentication and access logs, network flow logs, and others — for the servers running the backdoored version of Orion software first."

He recommends that organization look for evidence of the TTPs and IoCs published by other organizations that have done research into this issue such as FireEye, Volexity, and Microsoft. "Create new detection/prevention rules for these IoCs in your SIEM and other systems. Also, rotate any user or service account credentials related to SolarWinds."

In addition to looking for suspicious outbound connections, organizations should also look for malicious activity happening internally, Infocyte researchers said Monday. "For instance, FireEye also released information on SUPERNOVA, which is a custom .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler," they noted. Unlike SUNBURST, which does outbound connections, SUPERNOVA allows inbound backdoor access to the SolarWinds management interfaces, they said.

How Did SolarWinds Get Breached?
With investigations still ongoing, there is some speculation around how threat actors managed to compromise SolarWinds' environment and poison the company's software updates.

Details that SolarWinds has publicly released suggest that attackers gained access to the company's Orion software build system — or CI/CD development environment — using forged SAML authentication tokens that likely impersonated highly privileged accounts.

Statements that SolarWinds and Microsoft have released suggest that the attackers were likely able to forge the tokens by first gaining access to the former's Microsoft 365 environment through a separate on-premises compromise. According to Volexity, its previous investigations of Dark Halo showed the group to be using a sophisticated method — involving the use of a secret Outlook Web Anywhere (OWA) key — to bypass multifactor authentication. Like other security vendors, Volexity has said its investigations have so far revealed no clues to Dark Halo's origin.

The likelihood that the backdoor was inserted using a compromised build system is interesting and will be an attack vector to look out for next year, says Daniel Trauner, director of security at Axonius.

"This is yet another case showing that failing to protect a modern build system — which often has its own keys, service accounts, and other sensitive features meant to allow for fully automated deployments — can lead to a severe compromise," Trauner says. Organizations should take extra care to protect and audit the usage of any software signing keys as well, especially within a build system, where security is not always a high priority, he says.  

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.