[BreachExchange] Malicious update to SolarWinds’ Orion platform blamed for global hacks, including FireEye

Destry Winant destry at riskbasedsecurity.com
Tue Dec 15 10:35:10 EST 2020


https://www.itworldcanada.com/article/malicious-update-to-solarwinds-orion-platform-blamed-for-global-hacks-including-fireeye/439555

CISOs around the world whose organizations use SolarWinds’ Orion IT
management platform are scrambling to patch the suite and look for
signs of data theft after reports Sunday that recent security updates
for the platform had been infected with malware. This led to numerous
data breaches including last week’s embarrassing hack of security
vendor FireEye.

It wasn’t immediately clear if this supply chain hack through
SolarWinds is related to Sunday’s news that unnamed hackers broke into
the networks of U.S. federal agencies responsible for deciding
American internet and telecommunications policy, including the
treasury and commerce department agencies.

In a statement, SolarWinds said it had just discovered its systems
experienced, “a highly sophisticated, manual supply chain attack on
Orion software builds for versions 2019.4 through 2020.2.1, released
between March and June.

“We have been advised this attack was likely conducted by an outside
nation-state and intended to be a narrow, extremely targeted, and
manually executed attack, as opposed to a broad, system-wide attack.”
Administrators are urged to upgrade to Orion Platform version 2020.2.1
HF 1 (Hot Fix). A follow-up Hot Fix will be released Tuesday.

UPDATE: In a filing with the U.S. Securities and Exchange Commission
Solarwinds said of its 300,000 customers only 33,000 use Orion. Of
those fewer than 18,000 are believed to have installed the bad update.

Separately, FireEye indirectly indicated this was the cause of the
theft of tools it acknowledged last week. In the Dec. 8 revelation of
that hack, Sunday’s statement said, FireEye promised to “provide
updates as we discovered additional information.”

FireEye provided this screenshot of the signed and malicious Orion
update. Click to enlarge.

The statement then goes on to say that “we have identified a global
campaign that introduces a compromise into the networks of public and
private organizations through the software supply chain. This
compromise is delivered through updates to a widely-used IT
infrastructure management software—the Orion network monitoring
product from SolarWinds. The campaign demonstrates top-tier
operational tradecraft and resourcing consistent with state-sponsored
threat actors.”

In a detailed analysis, FireEye says the digitally signed malware
update, which it calls Sunburst, delivers a Trojanized backdoor to
victims. After an initial dormant period of up to two weeks, it
retrieves and executes commands, called “Jobs,” that include the
ability to transfer files, execute files, profile the system, reboot
the machine, and disable system services. The malware masquerades its
network traffic as the Orion Improvement Program (OIP) protocol and
stores reconnaissance results within legitimate plugin configuration
files allowing it to blend in with legitimate SolarWinds activity. The
backdoor uses multiple obfuscated blocklists to identify forensic and
anti-virus tools running as processes, services, and drivers.

All of the compromises FireEye says are linked to the campaign have
four things in common:

Use of malicious SolarWinds update: Inserting malicious code into
legitimate software updates for the Orion software that allow an
attacker remote access into the victim’s environment.
Light malware footprint: Using limited malware to accomplish the
mission while avoiding detection.
Prioritization of stealth: Going to significant lengths to observe and
blend into normal network activity.
High OPSEC: Patiently conducting reconnaissance, consistently covering
their tracks, and using difficult-to-attribute tools.

The definition of a supply chain attack varies. It can include a
supplier or partner that is allowed to connect to an organization —
such as a managed service provider — or, as in this case, any of the
hundreds of pieces of software any organization uses that gets patched
manually or automatically.

FireEye says victims it has detected so far include government,
consulting, technology, telecom and other organizations in North
America, Europe, Asia and the Middle East.

One of the most infamous third party data thefts was the 2014 attack
on retail chain Target, which was accomplished through a
heating/ventilation (HVAC) supplier. Arguably the worst
software-related third party attack was the 2017 NotPetya destructive
worm originally placed in an update of Ukrainian accounting software
called M.E.Doc. It was thought to have been created by a
Russian-backed threat group to hit just Ukraine it spread around the
world.

The Reuters news agency was among the first to report the latest U.S.
government department hacks. Politico said the discovery prompted an
emergency meeting Saturday of the White House’s National Security
Council. It also quoted a source as saying the hacks involved a
sophisticated compromise of federal workers’ Microsoft email accounts.

Ekaterina Khrustaleva, chief operating officer at ImmuniWeb noted that
supply chain attacks have surged in 2020, in part because they offer
rapid and inexpensive access to valuable data held by important
victims. Victims, she added, usually have no technical means to detect
intrusion in a timely manner unless the breached supplier informs
them.

“Most of the suppliers cannot afford the same level of incident
detection and response (IDR) as their clients for financial and
organizational reasons. Eventually, hackers and nation-state threat
actors deliberately target the weakest link, get fast results,
frequently remain undetected and unpunished. Attribution of
sophisticated APT (advanced persistant threat) attacks, as reportedly
affected SolarWinds and subsequently its customers, remain a highly
complicated, time-consuming and costly task. Global co-operation in
cybercrime prosecution is vital to break the impasse and make computer
crime investigable.”


More information about the BreachExchange mailing list