Active exploitation of SolarWinds Orion IT management platform
The Cybersecurity and Infrastructure Security Agency (CISA) is warning about active exploitation of SolarWinds Orion, a widely used platform for IT monitoring and management. You should contact your IT team or provider now to determine whether you use the SolarWinds Orion platform and whether your specific version of the software is affected. If it is, you should immediately take steps to mitigate the risk.
On December 13, SolarWinds warned of highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. Threat actors were able to modify certain SolarWinds software updates to distribute malware, as discussed in more detail in FireEye’s related blog post. The malware creates a significant vulnerability in the systems of organizations that installed the updates. By exploiting the vulnerability, threat actors can install ransomware or additional malware, steal data from your network, obtain access to network resources, and install backdoors for remote access.
What to do
SolarWinds recommends the following mitigation steps and provides more details in their security advisory:
- Determine which version of Orion Platform you are using and which hotfixes have been applied
- Upgrade to the most recent version of the software
Watch for an additional hotfix release anticipated for tomorrow
- If you cannot upgrade immediately, implement mitigation steps including having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.
CISA has also issued an emergency directive for government agencies on mitigation. The emergency directive goes into greater detail and is well worth reviewing.
FireEye’s blog post discusses in depth how the attack works, how the malware operates, how post-compromise activity can be detected, and how you can mitigate the risks. FireEye has also released signatures to detect the threat actor and attack on their GitHub page.
Microsoft has provided guidance on how attackers frequently escalate privileges and secure long-term access to the system as part of these attacks. See their post for recommended defenses and updated detections for Azure Sentinel and Microsoft Defender.
- SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- Microsoft Security Response Center, Customer Guidance on Recent Nation-State Cyber Attacks