SolarWinds Attack Campaign Alert and Information

SUNBURST Backdoor: Unfolding Information on the SolarWinds Attack Campaign

On December 13th, major news outlets began reporting that a highly-sophisticated supply chain attack had targeted and successfully breached two major U.S. agencies, gaining access to internal email traffic.

Emerging details reveal that threat actors behind this attack campaign gained access to these agencies and other organizations across different verticals and geographies by executing a supply chain attack trojanizing SolarWinds Orion business software updates and using them to distribute malware. The SolarWinds attack campaign post-breach activity has included lateral movement within networks and instances of successful data exfiltration.

FireEye, currently tracking the campaign closely, summarized details about the malware, SUNBURST, in a recent, comprehensive post:

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

Who is impacted by the SolarWinds attack campaign?

While the threat actors have only targeted a portion of the customer base so far, this backdoor gives them potential access to every organization using the vulnerable Solarwinds products. Organizations using any product from the list below should assume network compromise and activate their incident response plans promptly if they have not already.

A known list of affected versions:

  • Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

SolarWinds continues to update the list of affected products. It’s recommended that you verify as soon as possible what software versions you have installed (instructions can be found on the SolarWinds website).

Mitigation Recommendations

New threat and mitigation information continues to emerge. However, we have notified all customers with known instances of Solarwinds Orion software installed on network areas with Guardicore Centra coverage, giving them the following recommendations:

  1. Update your affected software based on the latest SolarWinds recommendations
  2. Until a hotfix is installed, we recommend you immediately limit SolarWinds servers’ communication to and from the internet using a Centra policy Override block rule.
  3. Ring-fence all servers running SolarWinds.
  4. Search the indicators of compromise provided by FireEye in your network to identify possible threat activity. This can be done with Guardicore Insight (available from Guaridocre Centra v35 release).

Reducing attack surface and preventing unauthorized lateral movement can significantly reduce the impact of similar attack campaigns on your organization in the future. To learn more about your risk reduction potential, request an attack surface analysis today.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image

‹ Back to Guardicore Blog