December 16 2020
Details about the Russian-based malware security threat that infected an estimated 18,000 organizations continue to unfold. Over the last several days, targets and victims of the campaign, which originated from a seemingly legitimate software update of the Orion network management product from SolarWinds, have emerged and include a who’s who of the U.S. government, numerous Fortune 500 companies and potentially over 22,000 managed service providers. The U.S. Treasury Department, the Department of Homeland Security, the State Department, the Justice Department, and potentially entities from all five branches of the U.S. military installed the compromised software on their systems. SolarWinds also counts 499 of the top Fortune 500 companies as customers, so the extent of the security breach is extensive.
According to stories published on DarkReading.com and ZDNet, security vendor FireEye uncovered the malware campaign while investigating a breach on its own network. FireEye recently published a description of the malware, “SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
On Monday, Dec. 16th, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive, only the fifth since 2015, advising “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
DarkReading.com reported, “The targeted attack has once again focused attention on the long-standing issue of supply chain and third-party security. It has also raised alarm about the extent to which Russian advanced persistent threat (APT) actors and threat actors from other countries may have insinuated themselves into, and are lurking on, U.S. critical infrastructure and networks, ready to activate at a moment’s notice.”
SolarWinds’ Orion technology monitors networks of hundreds of thousands of organizations in government, banking, healthcare and other industries..
During the past month, more than 30 SolarWinds’ MSPs have signed up with MspPortal Partners Inc, and they are now protected on one of the oldest, most established and trusted security platforms.