The SolarWinds Orion security breach is unfolding at a rapid pace, and the number of vendors and victims continues to grow. Each day brings new revelations as to its reach and depth. Of particular concern are the rate of infection and impact on government systems.
In case you missed it, a backdoor was found in the SolarWinds Orion IT monitoring and management software. A dynamic link library called SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally-signed component of the Orion software framework, was found to contain a backdoor that communicates via HTTP to third-party servers.
After an initial dormant period of up to two weeks, the Trojan retrieves and executes commands, called jobs, that include the ability to transfer files, execute files, profile the system, reboot, and disable system services. In short, a total takeover of the machine.
The malware hides its network traffic in the Orion Improvement Program (OIP) protocol and stores its ill-gotten data within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity.
SolarWinds has said that less than 18,000 of its 300,000 customers have downloaded the Trojan, but that’s still 18,000 too many. Victims reportedly include consulting, technology, telecom, and oil and gas companies around the world as well as US government agencies, such as the Defense, Treasury, and Commerce departments.
The latest victim is Cisco Systems, which found the Orion Trojan on internal systems. “Following the SolarWinds attack announcement, Cisco Security immediately began our established incident-response processes,” the company said in a statement.
“We have isolated and removed Orion installations from a small number of lab environments and employee endpoints. At this time, there is no known impact to Cisco products, services, or to any customer data.”
FireEye and Microsoft were among the first to identify the flaw, and more security experts are digging into it due to SolarWinds’ widespread use.
One thing is for certain, the final shoe has not dropped yet. Here’s a roundup of what has emerged in the last few days.
FireEye first documented the Trojan on December 13 in a detailed writeup on the malware, saying the Orion software could have been compromised as far back as March 2020. FireEye told the security site KrebsOnSecurity that it found a domain that has since been seized by Microsoft and has been reconfigured to act as a killswitch to prevent the malware from continuing to operate in some circumstances.
“SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate,” the company said in a statement sent to me.
Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST,” it added.
Second Group Found
Microsoft announced that a second hacking group had deployed malicious code that affects the Orion software, but this malware, known to researchers as Supernova, is different from the original Trojan because it does not appear to involve a compromise of the supply chain, Microsoft said.
While Russian hackers are suspected to be behind the first Orion software Trojan, Microsoft isn’t sure who is behind this second compromise. “[T]he investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the Microsoft research team said in a blog post on Friday.
The company noted that Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines malware, even if the process is running.
They Were Warned Three Years Ago
A SolarWinds security adviser warned of security risks three years prior to the suspected hack and later quit when he felt the company wasn’t taking him seriously, according to an article published Monday by Bloomberg. Ian Thornton-Trump gave a 23-page PowerPoint presentation to three SolarWinds executives back in 2017 urging them to install a cybersecurity senior director because he thought a major breach was inevitable, the article says.
Thornton-Trump told Bloomberg he resigned from SolarWinds a month after his presentation because he claimed the company wasn’t interested in making the changes he had suggested to improve cybersecurity. “My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,” Thornton-Trump said.
The Washington Post reported last week that that top investors in SolarWinds sold millions of dollars in stock in the days before the intrusion was revealed. SolarWinds’s stock price has fallen more than 20 percent in the past few days. The Post cited former enforcement officials at the U.S. Securities and Exchange Commission (SEC) saying the sales were likely to prompt an insider-trading investigation.
Private equity firms Silver Lake and Thoma Bravo, which owned three-quarters of outstanding SolarWinds shares, sold 13 million shares of stock at $21.97, worth $286 million, just one week before the disclosure of the supply-chain vulnerability. The stock closed the following Monday at $16.12. In November, outgoing SolarWinds CEO Kevin Thompson also sold more than $15 million shares, according to the Post.
“Thoma Bravo and Silver Lake were not aware of this potential cyberattack at SolarWinds prior to entering into a private placement to a single institutional investor on 12/7,” the companies said in a joint statement to the Post.