SolarWinds, a leading American company that provides powerful IT Infrastructure Management software, was recently attacked by highly sophisticated threat actors. The company builds software to help businesses to operate their systems, network, and IT infrastructure. SolarWinds have around 320,000 plus customers worldwide, including the US military and 499 companies of the Fortune 500.
The attackers used the Orion platform’s vulnerability – one of SolarWinds well-known products, to inject malicious backdoor codes and delivered them to the customers using software updates.
The backdoor codes were injected on the software updates distributed last March and June 2020 to perform reconnaissance and execute commands on the targeted systems. Reports say that the victims of the supply chain attack are roughly around 18,000 customers. It includes high-value entities such as government agencies, telecom, technology, and oil and gas companies from Asia, Middle East, North America, and Europe. The supply-chain attack is also known as a third-party attack or value-chain that can penetrate a company’s system using a third-party provider who can access your systems and data.
How did the attack happen?
The attackers inject SUNBURST backdoor into the SolarWinds.Orion.Core.BusinessLayer.dl – digitally signed component of the Orion software structure and used HTTP to communicate to the third-party servers. According to Microsoft, the infected DLL speaks to the domain avsvmcloud[.]com to control the affected systems. The domain is now configured to perform as a “kill switch” to stop the malicious code working in a variety of circumstances. The backdoor codes detected on Orion’s platform are from versions 2019.4 HF 5 and 2020.2 with no hotfix installed, and 2020.2 HF 1. SolarWinds reiterates that no other versions and other products were included in the vulnerability attack.
The investigation regarding the attack is still ongoing. However, the company detects the incident when their Microsoft Office 365 emails and office account were compromised. A Security researcher note that the FTP credentials of downloads.solarwinds.com was publicly available in the GitHub repository since June 17, 2018, and was only address last November 22, 2019. The attacker may have used these credentials to inject malicious codes on Orion’s software updates. In a statement released by Hacker News, they cited that the attackers managed to compromise the software as early as October 2019. And as of this writing, SolarWinds is still investigating if the compromised data is related to Orion’s software attack.
Injection of the malicious codes
A private security company identified that a state-sponsored threat actor is responsible for the attack with a campaign called UNC2452. The threat actor silently injected the malicious SUNBURST code on Orion’s software source code. The software version 2019.4.5200.8890 released last October 2019 acts as an avenue to deliver the real payload on March and June 2020. After the installation of the software updates, it will execute Orion’s update .NET program to the load plugins that includes the malicious backdoor codes. A separate class called “Inventory Manager” will be modified to build a thread that manages the backdoor. Cleverly, the attackers hide their malicious strings using compression and Base64 encoding, which makes it difficult to be detected. Security researcher concludes that this attack is the next generation of compromises that requires sophistication and patience. A new update on Orion’s software version is now available on the SolarWinds portal to ensure the security of their customer’s environment.
A company’s data is always at risk. To mitigate the risk of the supply chain attack, companies must limit the third-party access, continually monitor, and include third party tools on the security scanning, and should review access to sensitive data. Overall, security teams should understand the risk and create a security roadmap to protect the data.