[This is a developing story and will likely be updated as we learn more details. ] We are preparing a webcast for 5 pm EST (22:00 UTC) SolarWinds today announced that its product was apparently used to breach multiple high profile organizations [1]. One of these organizations was FireEye. FireEye made the breach public last week, and today released a detailed report showing how SolarWinds was used to breach the network [6]. SolarWinds was apparently compromised early in 2020. The attackers used the access they gained to the SolarWinds network to add a backdoor to a key library that is part of SolarWinds. This modified library was delivered to selected SolarWinds customers via the normal SolarWinds update process. SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 are potentially affected (Solarwinds states that 2020.2.1 HF 1 is safe. CISA considers that version affected). According to SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. The SolarWinds Orion Platform is an IT management platform that will centralize IT operations, security, and management. A compromise of this platform may affect all parts of a network that are controlled by Orion. An attacker would be able to enable/disable security tools, change configurations or load unauthorized patches (or prevent patches from being applied), among other things. Currently, the following names are used for the attack:
What you should do at this point:
The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4] The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com) IOCs: See the FireEye GitHub repository https://github.com/fireeye/sunburst_countermeasures
[1] https://twitter.com/razhael/status/1338267165221396480/photo/1 --- |
Johannes 4504 Posts ISC Handler Dec 15th 2020 |
Thread locked Subscribe |
Dec 15th 2020 1 year ago |
Hi,
regarding the Signer Hash: "Signer": "Solarwinds Worldwide LLC" "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4" I've checked in my installation (2020.2.1 Hotfix 1), and indeed I find this SignerHash (47d...), but I couldn't find any other abnormalities mentioned. Also the hash of the .DLL file itself is different as the ones posted everywhere. I also verified other .DLLs in the directory, not only the SolarWinds.Orion.Core.BusinessLayer.dll, they all have the same SignerHash. So, is this SignerHash a clear indicator for an attacked system? Thanks, Jeff |
Anonymous |
Quote |
Dec 14th 2020 1 year ago |
I believe there is an error in this summary. According to https://www.solarwinds.com/securityadvisory, the 2020.2.1 (note the dot-one at the end) is NOT compromised. Only the 2020.2 (no dot-one) up till HF 1.
If that is correct, then your installation should be safe (I hope, since I have the same version). |
Anonymous |
Quote |
Dec 15th 2020 1 year ago |
According to the CISA announcement: "SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors". I know this differs somewhat from SolarWinds' advice that states that 2020.2.1 HF 1 is secure. I will make this a bit more obvious in the article.
|
Johannes 4504 Posts ISC Handler |
Quote |
Dec 15th 2020 1 year ago |
The FireEye Threat Research Blog mentions these domains. Does anyone have the IPs that these resolved to IN MARCH-MAY 2020?
.appsync-api.eu-west-1[.]avsvmcloud[.]com .appsync-api.us-west-2[.]avsvmcloud[.]com .appsync-api.us-east-1[.]avsvmcloud[.]com .appsync-api.us-east-2[.]avsvmcloud[.]com |
Anonymous |
Quote |
Dec 15th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!