U.S. technology giant SolarWinds has confirmed that hackers recently injected the Supernova malware in vulnerable Orion products by designing it to appear as part of a SolarWinds product and to facilitate the deployment of a malicious code into the Orion platform.
The Orion Platform is marketed by SolarWinds as an advanced and seamless software solution that helps large-scale enterprises monitor and manage their IT infrastructures that are complex and geographically dispersed. The software can be deployed on-premises, in virtualized environments, and in Microsoft Azure.
The software unifies data from multiple IT layers into an application-centric view, designed to enable powerful, end-to-end hybrid IT management, and deliver multi-cloud visibility along with deep on-premises monitoring. Solarwinds also sells an Orion Suite for Federal Government to enable governments worldwide to manage and monitor their IT infrastructure.
In December, security firm FireEye said it discovered a new campaign by nation-state actors that involved hackers trojanising software updates of the SolarWinds Orion platform with a malware called Sunburst to infect organisations worldwide.
The hackers trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that were released between March and June 2020. According to FireEye, victims of the campaign include government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East.
According to The New York Times, while the trojanised software update was downloaded by as many as 18,000 private and public organisations, Russian hackers behind the operation only targeted specific government agencies and private organisations. These included the Department of Homeland Security, the State Department, parts of Pentagon, and the U.S. Treasury and the U.S. Commerce Departments.
In a recent security advisory published on 31st December, SolarWinds said the exploit affects Orion platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, and by exploiting the Sunburst vulnerability, hackers can compromise the server on which the Orion products run.
The company added that its initial investigations have revealed that hackers behind the operation also used the Supernova malware which itself is not a malicious code but was placed on a server that required unauthorised access to a customer’s network and was designed to appear to be part of a SolarWinds product.
"The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilisation of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates," the company said.
"This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with the goal of being able to attack subsequent users of the software.
"In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker," it added.
Recently, Microsoft confirmed that the exploitation of SolarWinds Orion Platform by state-sponsored actors impacted its servers and at least 40 customer organisations. An analysis by Microsoft revealed that 44% of the targeted organisations were in the IT sector, 18& were think-tanks or NGOs, 18% were government agencies, and 9% were government contractors.
Brad Smith, the president of Microsoft, said this particular cyber attack was "a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them" and it will require a strong and coordinated global cybersecurity response to counter such an attack.
"It’s critical that we step back and assess the significance of these attacks in their full context. This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.
"In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under," Smith said.