Emergency Directive Issued on SolarWinds Orion Software Compromise by Nation-State Actors
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive this week for federal agencies using SolarWinds Orion management software, which has been compromised in a sophisticated attack.
Affected products are versions 2019.4 through 2020.2.1 HF1. If organizations don't have the forensic expertise to detect the attack, then they should "immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network," the CISA directive indicated. CISA is part of the U.S. Department of Homeland Security, and this directive is just the fifth it's issued so far.
SolarWinds issued a security advisory suggesting that its customers upgrade to version 2020.2 HF 1 "as soon as possible." It's also recommending the installation of an additional hotfix, 2020.2.1 HF 2, available on Dec. 15, 2020, which will replace a "compromised component."
"We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack," the advisory indicated.
The software was compromised by a so-called "supply-chain" method of injecting compromised elements into SolarWinds' software updates.
Security solutions company FireEye, which described getting its Red Team forensics tools stolen last week, explained this week that a campaign using compromised SolarWinds' Orion software "may have begun as early as Spring 2020 and is currently ongoing." The attackers use the tainted software to build a backdoor, dubbed "Sunburst" by FireEye, which "communicates via HTTP to third-party servers."
The attack is said to be narrowly targeted by state actors, thought to be working for Russia, according to a Reuters story. The attackers were monitoring e-mails at the U.S. Treasury and Commerce departments, the Reuters story indicated, and its author, Chris Bing, also indicated in a Twitter post that the Department of Homeland Security was compromised, as well.
In a Dec. 14 Security and Exchange Commission filing, SolarWinds suggested that less than 18,000 of its customers could have been subject to the attack:
On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.
According to a Forbes story, the Pentagon is the biggest SolarWinds Orion software customer, along with the Navy and Army. The product is also used by The Department of Veterans Affairs, the National Institutes of Health and the Federal Bureau of Investigation, which is currently involved in investigating the issue.
Microsoft was called into the investigation, too, and issued a couple of announcements about the SolarWinds breach. The management software is just used to gain a foothold, and then the attacker uses administrative permissions to "forge SAML tokens that impersonate any of the organization's existing users and accounts, including highly privileged accounts," Microsoft explained.
In another announcement, Microsoft indicated it believes the attackers are acting on behalf of a "nation-state." They are able to compromise libraries using their own digital certificates "to evade application control technologies." The attackers embed "backdoor code into a legitimate SolarWinds library," which loads before the legitimate SolarWinds code loads.
Microsoft described the main implant as "Solorigate," which sets the stage for further compromise. It'll get detected by Microsoft Defender anti-virus software.
"The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data," Microsoft explained.
The announcement included mitigation steps to follow for organizations affected, including running up-to-date anti-virus solutions, disabling SolarWinds software and even using hardware security for SAML token signing certificates, among other suggestions.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.