(0 votes)

Supply Chain Exploitation of SolarWinds Orion Software

On December 13, FireEye discovered that SolarWinds Orion products (versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) were being exploited by malicious actors. The supply chain attack trojanized SolarWinds Orion business software updates in order to distribute malware that has been referred to as both SUNBURST and Solorigate. As far as we know at time of publishing, this does not affect SolarWinds N-central or SolarWinds RMM. 

Is This SUNBURST or Solorigate?

The answer is, well, both. The Orion update versions released between March 2020 and June 2020 have been tainted with malware, which FireEye was first to name SUNBURST. Microsoft has separately named this malware Solorigate and added detection rules to its Defender antivirus.

How the Attack Works

Here’s what it looks like from an attack chain perspective:

Why Is This Significant?

This appears to be the work of a highly skilled actor. The campaign may have begun as early as Spring 2020 — and it’s still ongoing.

What’s interesting is that the backdoor DLL was actually digitally signed by SolarWinds, therefore could be evaded by AV and most endpoint products. Microsoft has since removed the certificate from its trusted list, and Defender will automatically flag it as malicious.

In addition, other endpoint security tools are quickly taking action and building updates to help detect and mitigate this threat. Earlier this morning, only 1 out of 67 antivirus engines listed the SUNBURST backdoor (SolarWinds.Orion.Core.BusinessLayer.dll) as malicious.

At time of publishing, that’s up to 34 out of 70, and the number should continue to increase as more vendors add detections for this threat.

Mitigation Steps:

Where Can I Learn More?

Here are some resources we recommend reading:

Read 95 times Last modified on Tuesday, 15 December 2020 09:56