SolarWinds provides tools used by security and network managers in many of the largest businesses and governments in the world. Since March 2020 hackers inserted their own code into SolarWinds Orion software which was downloaded by some 18,000 customers – providing a backdoor into those customers’ networks.
SolarWinds Orion is a network health and performance monitoring tool that actively polls all the devices on a network to provide a real time view. It is extensively used by the US Government, large enterprises, and universities.
In a security advisory SolarWinds states:
SolarWinds has been made aware of a cyberattack to our systems that inserted a vulnerability within our SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. We have been advised that this incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.
One of the organisations breached via the SolarWinds hack is cybersecurity firm FireEye, who advised that the intruders stole copies of FireEye’s Red Team Tools they use to test and stress their clients network security.
The attack on SolarWinds is an example of a supply chain attack, where attackers insert malicious code into software or devices before it arrives on your network in the hope that it will be trusted and deployed. Dubbed the Sunburst Attack, FireEye has detected active use of the compromised SolarWinds software on their clients systems since the Spring of 2020 and due to the sophistication and scale of the attack believes it to the be work of a nation state actor. Concerted co-operation within the cybersecurity industry resulted in the command and control server for the malware being identified and then taken over by Microsoft – throwing a killswitch which is hoped will deactivate the malware.
The malicious code inserted into SolarWinds resides in the SolarWinds.Orion.Core.BusinessLayer.dll which then communicates via HTTP with the command and control server controlled by the attackers.
According to research published by FireEye, the malware is able to transfer and execute files, profile the system it is running on and even reboot the server and disable system services.
The SolarWinds security advisory provides links to download clean replacement software as well as mitigations you can take to limit the malware’s activities until it can be removed.