We learned more about the sophisticated attack first disclosed on December 8 when security firm FireEye reported it had been the victim of a state-sponsored adversary that stole Red Team assessment tools.
On December 13 there was a new development when IT company SolarWinds announced it had been hacked and that its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform customers.
This scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on software that has already been trusted and that can be widely distributed at once. Among the victims who received the malicious update are FireEye, Microsoft and the US Treasury and Commerce departments, making this one of the biggest cyber incidents we have witnessed in years.
The Department of Homeland Security has issued an emergency directive to order all federal agencies to take immediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by Monday.
We do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security firm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. As this story is still unfolding we will keep our customers informed of any newer developments.
Call to action
- Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
- Scan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst and Backdoor.WebShell.
- Use the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other SIEM data to give a timeline perspective to any potential intrusion.
- Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure.
- Upgrade to Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps.
- SolarWinds: SolarWinds Security Advisory
- FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks
- Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations
- CISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Microsoft: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect
Indicators of Compromise (IOCs)
This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.
Additional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules