Advisory & Monitoring Solution for Active Exploitation of SolarWinds Software

Active Exploitation of SolarWinds Software

Published: December 17, 2020, 10:00 am EST
US-CERT.CISA

Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on Active exploitation of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. Read Our Official Statement on the Active SolarWinds Exploit.

Description

This attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.

Determined Impact

An attacker who successfully installs trojanized SUNBURST backdoor components could perform file transfers, file execution, disabling system services, and gathering system information.

Why it is Critical?

The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.

Affected Components

SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1 HF 1

Mitigations/ Workarounds

Security Updates

SolarWinds recommends upgrading to Orion Platform version 2020.2.1 HF 2 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal.

Workarounds

If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance.

The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.

Required Actions

• SolarWind recommends taking the following steps related to your use of the SolarWinds Orion Platform: Solarwinds-security advisory
• Update any of the products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to ensure the security of your environment. This version is currently available here.
• SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which is available for download here.
• The hotfix release 2020.2.1 HF 2 is now available in the SolarWinds Customer Portal at customerportal.solarwinds.com. SolarWind recommend all customers update to release 2020.2.1 HF 2, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.
• Kindly ensure that the best practices are followed to secure other version of Orion Platform deployments [Orion platform-Core-secure-configuration]

Monitoring Mechanisms

Alert Monitoring

• New real time alert [EventTracker: Sunburst backdoor component with SolarWind supply chain pattern] has been created to monitor Sunburst backdoor trojan component patterns.

Existing P1 Alerts

• EventTracker: New Windows network process activity will be triggered when a new connection is observed to command and control server from installed trojan process based on the behavior.
• EventTracker EDR: New product or signer is detected will be triggered when a new product or signer is detected during the first time launch of SUNBURST components.
• EventTracker: A process has been terminated by EventTracker will be triggered when an identified bad Hash component launch is stopped by EventTracker agent based on the unsafe list.
• EventTracker: A process connected to an unsafe IP will be triggered when a connection is observed to unsafe IP addresses which are known to be involved in Command and control server.
• EventTracker: Improbable Geolocation login activity will be triggered when an unusual login is observed from few syslog sources.

Saved Searches, Dashboards/ Scheduled Report

• Saved searches/Dashboards has been created to identify the SolarWinds component Existence and Sunburst backdoor trojan Attack pattern.
• EventTracker: New Windows User Location Affinity Activity will be helpful in monitoring remote login activities

Indicator of Compromise

• EventTracker Threat Center has been updated with Identified Bad MD5 Hash Values and IP addresses in order to detect the IP address communication and terminate process launches based on the unsafe list.

IOC Type	Value
MD5
	02af7cec58b9a5da1c542b5a32151ba1
	08e35543d6110ed11fdf558bb093d401
	2c4a910a1299cdae2a4e55988a2f102e
	846e27a652a5e1bfbd0ddd38a16dc865
	b91ce2fa41029f6955bff20079468448
	4f2eb62fa529c0283b28d05ddd311fae
	56ceb6d0011d87b6e4d7023d7ef85676
	3e329a4c9030b26ba152fb602a1d5893
	e18a6a21eb44e77ca8d739a72209c370
IP Address
	54.193.127.66
	54.215.192.52
	34.203.203.23
	139.99.115.204
	5.252.177.25
	5.252.177.21
	204.188.205.176
	51.89.125.18
Domain (Monitored with Saved Search/Dashboard)
	deftsecurity.com
	freescanonline.com
	thedoccloud.com
	websitetheme.com
	highdatabase.com
	incomeupdate.com
	databasegalore.com
	panhardware.com
	zupertech.com
	avsvmcloud.com
	digitalcollege.org
	virtualdataserver.com
Exploited Components (Monitored with Real Time Alert)
	solarWinds.Orion.Core.BusinessLayer.dll
	app_web_logoimagehandler.ashx.b6031896.dll
	CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp

Known affected products
Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SRM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)

Reference Details:

https://www.solarwinds.com/securityadvisory
https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
https://github.com/fireeye/sunburst_countermeasures
http://hackdig.com/12/hack-227727.htm
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm

About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s managed platform approach of combining purpose-built technology and a team of cybersecurity experts gives customers and partners the ultimate flexibility to adapt and grow while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn.