What is the SolarWinds Cyberattack?
On December 13, 2020, multiple security vendors in conjunction with the U.S. Cyber and Infrastructure Security Agency (CISA) disclosed a software supply chain attack involving the SolarWinds Orion platform. The disclosure detailed the activities of an advanced persistent threat (APT) adversary that was able to gain access to SolarWinds systems to create “trojanized” updates to SolarWinds’ Orion platform. The trojanized Orion update allowed attackers to deploy additional, stealthy malware on the networks of SolarWinds customers.
What is SolarWinds?
SolarWinds is a provider of IT infrastructure management software. Its products enable organizations to monitor and manage the performance of their IT environments, whether they are on-premises, in the cloud, or in hybrid models.
One of the SolarWinds software products is Orion, a widely used network infrastructure monitoring and management platform. It is designed to provide visibility into networks from various vendors, enabling customers to identify and troubleshoot issues. Orion has a reported customer base of over 33,000, which includes many large enterprises and government agencies, and it is believed that the attack affected 18,000 Orion customers.
To carry out the cyberattack, the attackers modified an Orion platform plug-in that is distributed as part of Orion platform updates. Digitally signed by SolarWinds, it contains a backdoor that communicates with third-party servers controlled by the attackers. Once the attackers were able to establish a foothold in impacted organizations, they would be capable of further attacks, including data theft or business disruption.
On December 14, 2020, Forbes reported on the potential gravity of the attacks, writing that they could go to the heart of the United States’ security apparatus: “According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs...the National Institutes of Health, the Department of Energy, the DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.”
It didn't come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies may prove to be even more damaging to our national security and our business prosperity.
How did the SolarWinds vulnerability occur?
The attack on SolarWinds affected Orion versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
As of January 2021, the full scope of the attack remained under investigation. What is known is that the attack was executed by a sophisticated adversary with a deep understanding of operational security. Based on publicly available data, this adversary demonstrated significant efforts to evade detection, which included code obfuscation and clean-up techniques, such as steganography, fingerprinting techniques to identify both target systems as well as analysis systems, rotating infrastructure with a focus on geolocation proximity, as well as executing code in memory as much as possible. These techniques, in combination with using a digitally signed component of a trusted software platform as the initial infection vector, are indicative of a highly skilled and covert adversary willing to expend resources to assure the success of their operation.
Security experts have been warning for many years that [supply-chain attacks] are some of the hardest types of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.
What happens if an attack is successful?
Once the malware has been deployed, the adversary will most likely begin to perform reconnaissance actions using the privileges of the Orion system and explore what is available in terms of assets to compromise or actions to take. The following behaviors may have been observed on the affected Orion system or other systems that have had communication with the affected system.
- Modification of system tasks
- delete-create-execute-delete-create directory action pattern
- Newly created or unknown local user accounts
- Existence or evidence of usage of Adfind.exe
- Signs of cmd.exe or rundll32.exe spawned from solarwinds.businesslayerhost.exe
- Existence of unknown and/or very broad email forwarding/deleting rules on the email gateway
How do you know if you have been attacked?
The easiest way to identify whether you were affected as an organization is to identify if one of the compromised SolarWinds Orion products and versions is being used in your environment (see below) and update it to the latest version, according to the advisory here. Also, check if you are running any other affected SolarWinds products as listed in their advisory. Affected Orion versions include:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, version 2020.2.5300.12432
- Orion Platform 2020.2 HF1, version 2020.2.5300.12432
If you are using any of the above versions, be sure to Isolate, disconnect, or power down infected systems. Review logs to identify command-and-control activity or lateral movement from infected systems. Finally, reset all credentials used by SolarWinds Orion and associated services.
In their efforts to remain undetected, the adversary in this specific attack appears to have only used the backdoor in SolarWinds Orion in cases where the target environment appeared of specific interest. Whether access was attempted and obtained can only be determined by analyzing network activity.
This is because the campaign was suspected to have started on or before March 2020 (with possible testing as early as October 2019) and did not involve any known indicators of compromise. Due to the sheer volume of data involved, many organizations do not keep access logs long enough to determine whether or not a successful compromise occurred.
Companies, as users of software, should also start thinking about applying zero-trust networking principles and role-based access controls not just to users, but also to applications and servers.
Best practices for protecting your organization
- Eliminate your internet-facing attack surface, stop potential lateral movement, and block command-and-control activity with a zero trust architecture, which provides an effective defensive layer to significantly limit the impact of “trojanized” technologies.
- Enable complete SSL/TLS inspection and advanced threat prevention on workload-to-internet traffic.
- Run an inline cloud sandbox to identify and stop advanced, unknown threats.
- Enforce protections for known command-and-control traffic with continuous updates as new destinations emerge.
- Limit the impact of lateral movement with identity-based microsegmentation for cloud workloads.
- Carefully assess and monitor your vendors’ security practices and certifications, such as ISO/IEC 27001, which asserts that security practices that ensure confidentiality, integrity, and availability are the responsibility of top management.
- Restrict inbound and outbound component access to the minimum of what is absolutely required, which limits adversaries’ abilities to exploit their position, potentially dramatically.
- Require multifactor authentication for any access to high-value targets, which in itself should be granted on an as-needed basis.
Implementing only the last two points—limiting access to and from the SolarWinds Orion Platform and requiring strong authentication to access—could have made it significantly more difficult for the adversary to gain access to a customer’s environment, while making it easier to detect activity that was not expected.