SolarWinds announced a major security breach of their Orion Platform software in what’s quickly becoming the most significant cybersecurity story of 2020. SolarWinds is coordinating with the Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT) of the Department of Homeland Security (DHS) to investigate and respond to the attack. In addition to the SolarWinds security advisory, CERT released an Emergency Directive on December 13. Both alerts are being updated as new information becomes available. Keep reading to find out more about what happened and what it means for you and your business.
A successful supply chain attack targeted SolarWinds Orion IT monitoring and management software. The cyber attackers created a backdoor vulnerability in the Orion software via an earlier cyberattack to insert malware known as SUNBURST into the system. The exploited backdoor communicates with third-party servers, which allowed the attackers to access the systems that had SolarWinds Orion software running on it (SolarWinds’ customers). The practice of attacking one organization to launch further attacks against the organizations’ customers is known as a supply chain attack.
SUNBURST requires manual activation by the attackers to exploit a single instance of the vulnerability. Once activated, SUNBURST can be used to access servers, transfer files, execute commands, map the system,
reboot the machine, and disable services. SUNBURST is a highly sophisticated piece of malware. It cleverly disguises its actions to blend in with legitimate SolarWinds activity and actively works to block detection efforts.
Investigators believe the infected version of SolarWinds Orion’s software (with the SUNBURST vulnerability) was inadvertently distributed by SolarWinds starting March 2020. Furthermore, they believe this is the work of a hostile nation-state, specifically Russia.
Orion is a popular monitoring and management software platform used by 425 Fortune 500 companies. It is also used by multiple government agencies, including the US Departments of Homeland Security, Treasury, Commerce, and Energy and all five US Military branches. Officials at SolarWinds and the other agencies investigating the incident believe that government agencies and contractors are the main targets of the attack, but any system with Orion products downloaded, implemented or updated between March and June 2020 could be affected.
The SUNBURST attack affects Orion versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF1. SolarWinds estimates that as many as 18,000 of their 33,000 Orion customers could be affected. On December 17, Microsoft confirmed that their systems had been compromised by the Orion security breach, prompting the NSA to issue a cybersecurity advisory for Microsoft Azure customers. Multiple companies and government agencies across North America, Europe, Asia, and the Middle East have also reported data loss and security breaches related to the SolarWinds attack.
What Should I Do If My Company Uses Orion?
designDATA recommends immediately shutting down all systems with Orion software installed on them until you can begin executing a remediation plan. Both SolarWinds and CERT are regularly updating their security alert pages as new information becomes available. SolarWinds has released hotfixes to repair the security vulnerability exploited by SUNBURST. They recommend upgrading to the latest version immediately. Details, installation instructions and answers to other questions can be found on the SolarWinds Security Advisory FAQ page. We recommend checking for updates frequently and immediately implementing the action items advised by SolarWinds.
If you believe your environment has been compromised, your threat response actions should include analyzing your stored network traffic for telltale signs of a breach, such as new external DNS domains. You should also take a close look at the system memory or host operating systems for all instances of the SolarWinds Orion Platform. If you have the expertise, this can be done in-house. If not, consult with a cybersecurity vendor to get advice on investigation and mitigation actions.
What Is The Community Doing?
A federal response force, including the Cybersecurity and Infrastructure Security Agency (CISA), is working with technology companies that include SolarWinds, Microsoft, and FireEye (the latter of which was hacked last month from this same exploit, and it was their own internal investigation that helped uncover this vulnerability and its scope) to help affected organizations determine the impact to them, to clean infected systems, and to safeguard critical infrastructure. Specifically, Microsoft has leveraged its capabilities and standing to get a court order to seize ownership of a public domain attributed to the attackers’ command and control architecture. They will also use it to scan for infected versions of the SolarWinds Orion software with its Microsoft Defender antivirus software (and immediately quarantine it), which has empowered other antivirus companies like Sophos and Symantec to follow suit.
What Are The Lessons Learned?
Cybersecurity experts acknowledge that this attack is frightening in its sophistication, scale, and potential impact on safety and security. This supply-side attack against SolarWinds, used as a means to an end to enable breaches at other, even-larger targets, shows us that the resources and capabilities of APTs continue to grow and that cyber defenses need to continuously evolve to keep pace.
This event can serve as a helpful wake-up call for all business leaders choosing technology providers: We should strongly consider the internal cybersecurity maturity of our providers and suppliers as a critical factor in picking a technology implementation. One of the biggest drivers for an organization to implement better cybersecurity controls comes from its customers, members, or donors demanding cybersecurity excellence. If we all require that excellence, then that will raise security standards for everyone.
We're Here to Help
The SolarWinds Orion security breach is a sobering reminder that cybersecurity is both critical and challenging. Cybercriminals are constantly devising new ways to infiltrate your systems, disrupt your operations, and steal valuable data. To remain safe, you must be alert and stay up to date on the most effective cybersecurity defenses. At designDATA, we pride ourselves on providing cybersecurity advice and solutions that are just right for you.
Is your business secure?
Download our free cybersecurity resources to find out
Do you have questions about this breach or other cybersecurity concerns?
Talk to one of our cybersecurity experts today
Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.