SolarWinds’ Orion platform Github password leak

December 23, 2020
solarwinds orion github passwordl eak CozyBear APT

The Cybercommunity is currently in chaos as Solarwinds, developer of network management software has confirmed that their sophisticated Orion IT software has been compromised and affected system access was sold off in the underground forum of hackers. The latest report told the 18,000 companies out of 300,000 have been affected by such intrusion. The magnitude of the damage is far from assessment as the victims are among the company’s prominent customers included in the Fortune 500, US Telecom providers, military organizations, accounting, and commerce firms. Thus, the news of this outbreak has resulted in Solarwinds market value to decline within a week.

According to the current investigation, the attack was staged by known state-backed adversaries allegedly pointing to the Russian APT group Cozy Bear, based on the operational pattern of intrusion and type of the backdoor application used. The in-depth investigation confirmed that the intrusion’s gateway was found on the latest patch update that has been released by Solarwinds to Orion application in March-June 2020. The update was injected with the malicious code onto the DLL loader of the application. The code was sophisticatedly well crafted to avoid any possible detection from any manual monitoring or anti-virus application. Upon reaching the targeted device, it will sleep for a couple of weeks before it begins its first infiltration phase. The first phase includes corrupting legitimate system files to establish it’s under the radar activity then will again sleep for another couple of weeks to start the second phase to complete its operation. This time, the process stage is to corrupt the system files to established outside communication to signal the adversary that the remote Command and Control is ready. The infiltration is a success waiting for exfiltration sequence to commence.

 

In an independent report, it was believed that the possible intrusion started with the found vulnerability within the Solarwind Orion network access.

 

The APT actors have exploited this vulnerability as the company neglects to use a more sophisticated network credential. With the exposed username and cybersecurity, experts tagged this as poor password management system ‘Solarwinds123’. The adversaries were able to make their way to the Development Team system and inject the malicious code onto the controversial Orion update. As told, this would have been prevented if the report of an ethical hacker has been given priority by the company when he submitted his vulnerability report.

An ongoing investigation of many authorities and cybersecurity experts is constant, including mitigation to halt further spreading of the infection. The initial analysis confirmed that the attacker’s primary goal was to exfiltrate sensitive information of Solarwinds customers, and fortunately, the primary storage is clean. The attack confirms that adversaries are relentless in evolving their program as investigators viewed that the code is unique and highly sophisticatedly customized for the operation. However, the experts see it as an opportunity to learn and develop a more robust security application to protect the community. But then again, the question of being proactive rather than being reactive is still and will be the evident struggle.

About the author

Leave a Reply