The SolarWinds attack was one of the largest nation-state supply chain attacks we have seen to date. The attack originated from SolarWinds’ Orion network management software and was likely carried out by nation-state adversaries.
The fallout of this hack affected thousands of global organizations, including U.S. federal agencies like the Treasury Department and the Pentagon, and a majority of the Fortune 500.
SolarWinds Orion Vulnerabilities
According to the official SolarWinds Security advisory, SolarWinds Orion was originally attacked via two vulnerabilities, known as SUNBURST and SUPERNOVA.
What is SUNBURST?
SUNBURST is the main vulnerability used to carry out the SolarWinds supply chain attack. SUNBURST is a vulnerability inserted into the SolarWinds Orion Platform, versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. The vulnerability, when active, allows attackers to compromise the server running the Orion Platform.
Additional components of the SUNBURST attack mechanism are:
- SUNSPOT – a sophisticated specially-designed malware that inserts SUNBURST malicious code into Orion during the build process.
- TEARDROP and RAINDROP – malware loaders that are used as secondary tools by the SUNBURST backdoor.
What is SUPERNOVA?
SUPERNOVA is malware that was not delivered via the SolarWinds build process as a supply chain attack, but rather, distributed via a vulnerability in the Orion product itself. It has two components:
- A malicious webshell .dll file named “app_web_logoimagehandler.ashx.b6031896.dll” – designed by the attackers to operate as part of SolarWinds Orion and appear to be part of the product.
- An exploited vulnerability in the Orion Platform that enables deployment of the malicious code. Recent updates of the Orion Platform have resolved this vulnerability, so the malware can no longer be deployed.
Additional SolarWinds Vulnerabilities Discovered After the Attack
Cybersecurity researchers at Trustwave have discovered additional vulnerabilities in the Orion Platform, in the months after the initial SolarWinds attack. There is no evidence these vulnerabilities have been exploited by attackers. They are:
- CVE-2021-25275 – a vulnerability in the interface between Orion and Microsoft Message Queue (MSMQ), which can allow attackers to access secured credentials and gain control over a Windows server running Orion.
- CVE-2021-25274 – could allow an unauthenticated user to inject malicious code and gain complete control to the Windows operating system on an Orion server.
- CVE-2021-25276 – vulnerability in the Serv-U FTP utility, allowing anyone who logs in either locally or via RDP to create an admin account and gain full access to the server and attached networks.
Is Your Data at Risk from the SolarWinds Hack?
Thankfully, not all SolarWinds customers are vulnerable to this hack. Only users of the Orion software platform are affected, and specifically only those that loaded the March 2020 update – SolarWinds has confirmed that 18,000 customers have done this.
Specifically, the affected versions are SolarWinds Orion Platform versions 2019.4 HF5, 2020.2 with no hotfix installed, and 2020.2 HF 1.
Please note that:
- Not all organizations affected by the vulnerability were hacked. The attackers did not hack all organizations that had the vulnerability, apparently starting with the most valuable targets.
- Some organizations were affected without having the vulnerable SolarWinds version, or even if they did not use SolarWinds Orion at all. The same threat actors compromised other software from Microsoft (the Zerologon vulnerability) and VMware (the SUNBURST trojan was discovered in VMware Access and VMware Identity Manager).
How to Protect Your Organization
There are some immediate steps you can take to protect your organization if you’ve been compromised by the SolarWinds attack. These guidelines were provided by the Center for Internet Security (CIS):
- Test your systems and immediately apply the relevant SolarWinds updates to your vulnerable systems. For example, update 2019.4 HF 5 to version 6, update earlier versions of 2020.2 to 2020.2.1 HF 2, or apply the CVE-2020-10148 security patch (provided by SolarWinds) if you want to continue running 2018.2 HF 6, 2018.4 HF 3 or 2019.2 HF3.
- Monitor Microsoft 365 Cloud, because FireEye researchers have discovered that SolarWinds attackers can move laterally from local networks into the Microsoft 365 cloud. Learn more in the FireEye white paper. You can check your Microsoft 365 environment for signs of attack using the Azure AD Investigator.
In addition, pay special attention to user behavior that can increase security risk:
- Run any software as a regular user without administrative privileges, to minimize the impact of attack.
- Raise awareness so users don’t visit untrusted sites or click on links from an unknown or untrusted source.
- Educate users on the risks related to hypertext links or email attachments provided by an untrusted source.
- Apply a least privilege strategy across your systems and services.
Remediating Affected Systems
CIS recommends the following additional steps your organization should take to remediate systems affected by the SolarWinds attack.
Identifying Malicious Traffic Related to SolarWinds Attack
Take the following steps to identify if your environment has malicious traffic that could be related to SolarWinds malware:
- Examine network traffic since March 2020 and look for any activity with the domain avsvmcloud.com.
- If you find any such traffic, look for unexplained external communications from SolarWinds systems.
- If external communications to avsvmcloud.com ceased on 14 December 2020, and this was not the result of actions by security staff, this means the environment is compromised – follow the steps for SolarWinds products with malicious traffic.
- In addition, conduct an audit of all systems looking for default credentials and new accounts created; perform an organizational-wide password/credential reset.
Steps for SolarWinds Products Not Affected by the Attack
If your organization is running SolarWinds products that were not affected by the attack, or products that were affected, but you did not find malicious traffic, follow these steps:
- Download and install the latest software updates from the SolarWinds portal, and ensure servers running SolarWinds have other security updates and patches.
- Apply CIS Benchmarks hardening recommendations for all SolarWinds systems. CIS-CAT Pro is a free tool that can provide hardening recommendations for SolarWinds.
- Monitor the environment for malicious communication or suspicious activities.
Steps for SolarWinds Products with Malicious Network Traffic
If you have a product affected by the malicious SolarWinds code and you have seen network traffic both to the malicious domain avsvmcloud.com and an additional command and control destination, follow these steps:
- Perform forensic investigation of system memory and host operating systems on any system hosting infected Orion versions
- Analyze network traffic for additional malicious activity
- Examine SolarWinds host systems for new users, new service accounts, new processes running, or other signs of persistence. Remove all accounts and persistence mechanisms created by attackers.
- After forensic investigation, power down or disconnect all infected SolarWinds Orion instances from the network
- Add firewall rules blocking traffic from hosts outside of the environment where Orion software is installed
In addition to the above steps, CISA recommends:
- Reimaging and rebuild affected systems
- Restoring firmware of all network infrastructure managed by SolarWinds to previous known good versions
- Resetting credentials across the enterprise for user accounts, SNMP, SSH keys, and certificates, and forcing multi-factor authentication (MFA)
- Applying hardened configuration for all affected systems
- Following the additional guidelines in the CIA document: Uncovering and Remediating Malicious Activity.
Checking your Supply Chain Web and API Application Security
Currently, there is no specific evidence that indicates the SolarWinds hack involved exploiting a specific web application vulnerability, however there is a possibility especially with exposed APIs.
The hack involved gaining upload access to a file server which can also be carried out via a vulnerable admin panel. Weak points in your cybersecurity can be exploited to other connected applications and so it is imperative to check not only your own products, but also that of any and all third-party products.
Bright is a dynamic application security testing (DAST) solution that should be part of your toolset to detect and remediate vulnerabilities across your applications and APIs to mitigate this risk. Contact us now to learn more and request a demo