The U.S. government has called on all government agencies to immediately disconnect from the SolarWinds Orion platform after FireEye detected a nation-state attack that trojanised business software updates to deliver a sophisticated data-stealing malware to organisations worldwide.
On Sunday, security firm FireEye said it discovered a new campaign by nation-state actors that involved hackers trojanising software updates of the SolarWinds Orion platform with a malware called Sunburst to infect organisations worldwide.
The hackers trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that were released between March and June 2020 and infiltrated organisations worldwide that downloaded the trojanised software updates. According to FireEye, victims of the campaign include government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East.
The Orion Platform is marketed by SolarWinds as an advanced and seamless software solution that helps large-scale enterprises monitor and manage their IT infrastructures that are complex and geographically dispersed.
The software unifies data from multiple IT layers into an application-centric view, designed to enable powerful, end-to-end hybrid IT management, and deliver multi-cloud visibility along with deep on-premises monitoring. Solarwinds also sells an Orion Suite for Federal Government to enable governments worldwide to manage and monitor their IT infrastructure.
SolarWinds products, including the Orion platform, are used by more than 425 of the US Fortune 500 companies as well as by all five branches of the US military, all ten of the top ten US telecommunications companies, all five of the top five US accounting firms, and by the US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States. The NHS is also a user of the Orion platform.
According to FireEye, the hacking campaign began in Spring this year, continues to affect organisations that downloaded the affected software updates, and is being carried out by a highly-skilled actor with significant operational security.
The malware using in the operation is known as Sunburst and after infiltrating an IT environment, it stays dormant for up to two weeks (to evade detection) and then begins to execute commands that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
Researchers also found that the malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol, stores reconnaissance results within legitimate plugin configuration files, and the backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
"We are currently tracking the software supply chain compromise and related post intrusion activity as UNC2452. After gaining initial access, this group uses a variety of techniques to disguise their operations while they move laterally. This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment," they said.
Earlier today, SolarWinds released an urgent software update to the Orion Platform, stating that it has just been made aware of a highly sophisticated, manual supply chain attack to the Orion platform that was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
"We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal. An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements," the company said.
"Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers. We are working to investigate the impacts of this incident and will continue to update you as we are made aware of any interruptions or impact to your business specifically," it added.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an Emergency Directive, advising all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks. Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation,” said CISA Acting Director Brandon Wales.
According to the Washington Post, the cyber attack, that involved trojanised software updates of the Orion platform to infect IT systems, breached the IT infrastructure of the U.S. Treasury and the U.S. Commerce Departments and was orchestrated by the Russian government. The US government has so far refrained from naming the affected agencies or the nation that supported the operation.
Commenting on the malicious campaign to target US government agencies, Piers Wilson, Head of Product Management at Huntsman Security, says the supply-chain attack should be a serious wake-up call as even though organisations have fortified their own cybersecurity defences, a single partner or supplier being breached can undermine any positive action already taken.
"A holistic approach to cyber-security is vital to ensure defences are as effective as possible. Having the latest and greatest technologies to secure your own network is only a partial solution if your suppliers are not doing the same. Businesses often carry out due diligence on the financial viability of core partners to ensure they are not a risk. The same has to be true for cybersecurity.
"Regular assessment or monitoring of all partners’ and suppliers’ cybersecurity practices must become commonplace, alongside a robust cybersecurity programme to minimise the risk of falling victim to similar attacks. There is no doubt that as this attack is investigated we will see many more victims come to light. Organisations must act now if they aren’t sure their supply-chain is secure, as waiting will just increase the chances of becoming the next headline," he adds.