CERT-In Advisory
CIAD-2020-0084
SolarWinds Orion Backdoor Supply Chain Attack (Sunburst/ Solorigate)
Original Issue Date: December 15, 2020
Updated: December 21, 2020
Severity Rating: High
Systems Affected
SolrWinds Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SCM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
Overview
A highly sophisticated supply chain attack has been reported on the SolarWinds' Orion IT monitoring and management software, resulted in backdoor remote code execution and may further lead to lateral movement and data theft.
Description
SolarWinds Orion Platform software builds have been reported to be part of a sophisticated manual supply chain attack.
In this sophisticated supply chain attack, adversaries compromised updates to the SolarWinds' Orion IT monitoring and management software, specifically a component called "SolarWinds.Orion.Core.BusinessLayer.dll" in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were posted on the SolarWinds' website from March to May 2020. This backdoor can communicate to third party servers using HTTP and is able to execute commands to transfer and execute files, profile the system, reboot the machine, and disable system services.
Solution
Organisations are recommended to apply updates mentioned in the SolarWinds Security Advisory, after appropriate testing.
- Users with Orion Platform version 2019.4 HF5 Update to 2019.4 HF6
- Users with Orion Platform version 2020.2 with no hotfix installed & 2020.2 HF 1 : Update to 2020.2.1 HF2
Recommendations
Organisations are strongly advised to take additional measures:
- Analyze all configuration for network devices managed by the Orion platform for alteration.
- Run up to date antivirus or EDR products that detect compromised SolarWinds libraries and potentially anomalous process behaviour by these binaries.
- Consider disabling SolarWinds in your environment entirely until you are confident that you have a trustworthy build free of injected code.
- Block all traffic to and from hosts where any version of SolarWinds Orion software has been installed.
- Identify and remove threat-actor controlled accounts and persistence mechanisms.
- Reset all credentials used by SolarWinds software and implement a rotation policy for these accounts.
- Validate all network device firmware/software which was stored or managed on the SolarWinds monitoring server. Cryptographic hash verification should be performed on such firmware/software for possible tampering and should matched against known good hash values from the network vendor.
- Affected organizations should determine the need to change credentials on all devices being managed by the affected SolarWinds platform. This includes:
- User credentials
- SNMP community strings
- IKE pre-shared keys
- Shared secrets for TACACS, TACACS+ and RADIUS
- Secrets for BGP, OSPF, EIGRP or other routing protocols
- Exportable RSA keys and certificates for SSH or other protocols
Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.
Vendor Information
https://customerportal.solarwinds.com/
References
SolarWinds
https://www.solarwinds.com/securityadvisory
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
US CERT
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
FireEye
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
Microsoft
https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
CVE Name
CVE-2020-14005
CVE-2020-13169
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|