Continuous Updates: Everything You Need to Know About the SolarWinds Attack

SolarWinds Orion Supply Chain

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach the systems of Texas-based IT management and monitoring solutions provider SolarWinds.

Specifically, the attackers compromised the build system for the company’s Orion monitoring product, which enabled them to deliver trojanized updates to the company’s customers for at least three months.

Latest NewsThe attackers delivered malware to possibly thousands of organizations, including cybersecurity firm FireEye (which broke the news about the attack) and various U.S. government organizations.

Russian state-sponsored threat actors are suspected to be behind this supply chain attack, but Russia has denied the accusations.

CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

SecurityWeek is covering all the new information that emerges and here you can find a summary of all articles on this topic, as well as other useful resources. This article will be regularly updated with new information.

News Coverage

Hacked Networks Will Need to be Burned ‘Down to the Ground’ (12.19.20) Experts say it’s going to take months to kick elite hackers widely believed to be Russian out of U.S. government networks. The only way to be sure a network is clean is “to burn it down to the ground and rebuild it,” expert Bruce Schneier said.

Pompeo Blames Russia for Massive US Cyberattack (12.19.20) – Russia was “pretty clearly” behind a devastating cyberattack on several US government agencies that also hit targets worldwide, Secretary of State Mike Pompeo said.

SolarWinds Likely Hacked at Least One Year Before Breach Discovery (12.18.20) – An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

Microsoft, Energy Department and Others Named as Victims of SolarWinds Attack (12.18.20) – Microsoft, the U.S. Energy Department and others have apparently also been targeted in the SolarWinds hack. An analysis of the SUNBURST malware DGA led to the discovery of 100 potential victims, and Microsoft claims to have also identified 40 of the hackers’ high-value targets. 

Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’ (12.17.20) CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales (12.17.20) – Few people were aware of SolarWinds, but the revelation that the company has been targeted by elite cyber spies has put many of its customers on high alert, and it’s raising questions about why its biggest investors sold off stock.

FBI, CISA, ODNI Describe Response to SolarWinds Attack (12.17.20) The FBI, CISA and ODNI have released a joint statement describing their roles in investigating and responding to the incident. The FBI is trying to find out who is behind the attack and disrupt their activities, and it has been working with victims to obtain useful information. CISA has issued an emergency directive instructing federal agencies to take steps to detect attacks, collect evidence and remove the attackers from their networks. ODNI is responsible for sharing information across the government and supporting the investigation by providing the intelligence community’s resources.

SolarWinds Removes Customer List From Site as It Releases Second Hotfix (12.16.20) – SolarWinds has released another patch for its Orion products. This second hotfix released in response to the attack not only provides additional security enhancements, but also replaces the compromised component. The company has also decided to remove from its website a page that listed many of its high-profile customers.

Killswitch Found for Malware Used in SolarWinds Hack (12.16.20) FireEye said the attackers leveraged the SolarWinds infrastructure to deliver a piece of malware named SUNBURST, and in the case of high-value targets a backdoor named Teardrop and a Cobalt Strike payload. An analysis of the malware revealed the existence of a domain that could be leveraged as a killswitch. FireEye, Microsoft and GoDaddy worked together to take control of the domain and disable SUNBURST deployments.

Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank (12.16.20) – After FireEye released IOCs, other cybersecurity firms linked the SolarWinds attack to previously analyzed campaigns. Volexity reported seeing an attack on a U.S. think tank where hackers used a novel method to bypass MFA and gain access to emails.

SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product (12.14.20) – SolarWinds has notified 33,000 customers of its Orion platform about the incident, but the company believes only up to 18,000 were actually impacted. The company said the attackers compromised its build system for Orion products, allowing them to deliver trojanized updates to customers between March and June 2020. The updates enabled the attackers to compromise the servers of organizations that received the malicious comproments.

Useful resources

• SolarWinds advisory (regularly updated)

• FireEye countermeasures

• FireEye analysis and IOC

• Emergency directive from CISA

• Symantec analysis of the malware used in the attack

• Microsoft analysis of the attack and IOC

• SolarWinds Post-Compromise Hunting with Azure Sentinel

• List of potentially impacted organizations based on DGA analysis

SunBurst Hunter” (Github) – Provides a Python client into RiskIQ API services. Tool currently provides support for SSL Certificates, SSL Certificates history and Component history

view counter

Previous Columns by SecurityWeek News:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *