CISOs around the world whose organizations use SolarWinds’ Orion IT management platform are scrambling to patch the suite and look for signs of data theft after reports Sunday that recent security updates for the platform had been infected with malware. This led to numerous data breaches including last week’s embarrassing hack of security vendor FireEye.
It wasn’t immediately clear if this supply chain hack through SolarWinds is related to Sunday’s news that unnamed hackers broke into the networks of U.S. federal agencies responsible for deciding American internet and telecommunications policy, including the treasury and commerce department agencies.
In a statement, SolarWinds said it had just discovered its systems experienced, “a highly sophisticated, manual supply chain attack on Orion software builds for versions 2019.4 through 2020.2.1, released between March and June.
“We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.” Administrators are urged to upgrade to Orion Platform version 2020.2.1 HF 1 (Hot Fix). A follow-up Hot Fix will be released Tuesday.
UPDATE: In a filing with the U.S. Securities and Exchange Commission Solarwinds said of its 300,000 customers only 33,000 use Orion. Of those fewer than 18,000 are believed to have installed the bad update.
Separately, FireEye indirectly indicated this was the cause of the theft of tools it acknowledged last week. In the Dec. 8 revelation of that hack, Sunday’s statement said, FireEye promised to “provide updates as we discovered additional information.”
The statement then goes on to say that “we have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.”
In a detailed analysis, FireEye says the digitally signed malware update, which it calls Sunburst, delivers a Trojanized backdoor to victims. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs,” that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
All of the compromises FireEye says are linked to the campaign have four things in common:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection.
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity.
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.
The definition of a supply chain attack varies. It can include a supplier or partner that is allowed to connect to an organization — such as a managed service provider — or, as in this case, any of the hundreds of pieces of software any organization uses that gets patched manually or automatically.
FireEye says victims it has detected so far include government, consulting, technology, telecom and other organizations in North America, Europe, Asia and the Middle East.
One of the most infamous third party data thefts was the 2014 attack on retail chain Target, which was accomplished through a heating/ventilation (HVAC) supplier. Arguably the worst software-related third party attack was the 2017 NotPetya destructive worm originally placed in an update of Ukrainian accounting software called M.E.Doc. It was thought to have been created by a Russian-backed threat group to hit just Ukraine it spread around the world.
The Reuters news agency was among the first to report the latest U.S. government department hacks. Politico said the discovery prompted an emergency meeting Saturday of the White House’s National Security Council. It also quoted a source as saying the hacks involved a sophisticated compromise of federal workers’ Microsoft email accounts.
Ekaterina Khrustaleva, chief operating officer at ImmuniWeb noted that supply chain attacks have surged in 2020, in part because they offer rapid and inexpensive access to valuable data held by important victims. Victims, she added, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them.
“Most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors deliberately target the weakest link, get fast results, frequently remain undetected and unpunished. Attribution of sophisticated APT (advanced persistant threat) attacks, as reportedly affected SolarWinds and subsequently its customers, remain a highly complicated, time-consuming and costly task. Global co-operation in cybercrime prosecution is vital to break the impasse and make computer crime investigable.”