Cybersecurity experts are warning of major global active exploits against SolarWinds Orion Platform software versions via a Sunburst backdoor and supply chain attack.
Late Sunday night, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive 21-01, in response to malicious actors exploiting SolarWinds Orion products.
“This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately,” CISA warned in the alert.
Affected SolarWinds Orion Platform versions are 2019.4 through 2020.2.1, released between March 2020 and June 2020.
The SolarWinds Security Advisory further stated:
“SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.”Solarwinds
Furthermore, FireEye confirmed the major attack in a threat research report posted Sunday. The security firm said they have discovered a “global intrusion campaign” and identified the bad actors as UNC2452.
FireEye said the supply chain attack trojanizes SolarWinds Orion business software updates and then distributes malware FireEye called “Sunburst.”
“The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye explained in the threat research blog post.
“Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
Moreover, FireEye warned the campaign is likely widespread and affects public and private organizations globally.
A key component of SolarWinds is the digitally-signed component of the Orion software framework — SolarWinds.Orion.Core.BusinessLayer.dll. This DLL contains a backdoor, called Sunburst, that communicates via HTTP to third party systems.
According to FireEye, multiple trojanized updates were likely digitally signed from March 2020 through May 2020 and posted to the SolarWinds updates website.
FireEye also posted a list of known malicious infrastructure on their GitHub page.
According to a Wall Street Journal (WSJ) report, hackers infiltrated systems in US government agencies, as well as FireEye via this malicious SolarWinds software update.
As a result, multiple government federal government agencies have had some of their systems breached as part of a widespread global cyber espionage campaign. The WSJ said the actors behind the campaign were likely from the Russian government.
The full impact of the SolarWinds vulnerability could be widespread given the company’s impressive list of customers to include:
- More than 300K customers worldwide
- More than 425 of the US Fortune 500 companies
- All ten of the top ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide.
Software upgrades needed
SolarWinds recommends organizations upgrade SolarWinds systems to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment.
The software company added that an additional hotfix release, 2020.2.1 HF 2 will likely be made available on Tuesday, December 15, 2020. This version will supersede the previous version, but will also include several additional security enhancements.
Readers can also check out related articles that point out similar supply chain or third party-related attacks.