Threat actors hacked into IT company SolarWinds in order to use its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on software that has already been trusted and that can be widely distributed at once.
The Department of Homeland Security has issued an emergency directive to order all federal agencies to take immediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by Monday.
We do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security firm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. As this story is still unfolding we will keep our customers informed of any newer developments.
Call to action
- Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
- Scan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst and Backdoor.WebShell.
- Use the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other SIEM data to give a timeline perspective to any potential intrusion.
- Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure.
- Upgrade to Orion Platform version 2020.2.1 HF 1 and restore systems once you feel confident with the previous steps.
Indicators of Compromise (IOCs)
This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.
Additional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules