SolarWinds, an IT software provider, recently announced that it was the victim of a cyberattack that inserted malware (code name SUNBURST) within their Orion Platform software. Following the announcement of the SolarWinds Orion compromise, the Department of Homeland Security released an advisory for mitigating the code compromise. Users were quick to point at high profile customers, and the problem got worse when the attackers got a foothold at these high profile customers and started spreading the attack. Fireeye announced that the attacker targeted and accessed their Red Team assessment tools that they use to test their customers’ security. Microsoft released a blog post explaining the sophisticated threat actor is focused on high-value targets such as government agencies and cybersecurity companies. Microsoft believes this is nation-state activity on a significant scale, aimed at both the government and private sector. The FBI, CISA, and ODNI issued a joint statement on the severity of the attack.
The root cause of the SolarWinds Orion compromise attack was a vulnerability in the following versions of SolarWinds Orion software:
The first step in managing risk from the SolarWinds Orion compromise is to identify all assets in your environment for the potential vulnerability. In Server Secure, this requires a simple search for CVE-2020-10148:
The Package Health view displays the status of all of the software packages on the server at the time of the most recent scan. If you want to view results from a different scan, click the Data as of drop-down to select a different date. By default, the data in the list is sorted by criticality.
The graphic summary displays the following information:
You can click any part of the graphic or any count to filter the view according to your selection.
Affected systems should be fully rebuilt or upgraded to the latest version of SolarWinds Orion—at least version 2020.2.1HF2. DHS advises classifying your network into three categories and following guidance per category.
After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed; there is further guidance here.
The SolarWinds Orion compromise was sponsored by a sophisticated threat actor that is focused on high-value targets such as government agencies and cybersecurity companies. Experts believe this is nation-state activity on a significant scale, aimed at both the government and private sector. Organizations should immediately identify vulnerable assets and proceed with mitigations.