SolarWinds SUNBURST

By 14 December 2020 December 24th, 2020 Blog, CERT, SOC
SolarWinds

Recently, SolarWinds has announced that their Orion software from version 2019.4 HF 5 up to version 2020.2.1 was revised in an unauthorised manner by attackers. Meanwhile, this revised version is no longer available via the SolarWinds channels.

On the basis of the latest information, it is recommended to provide Orion systems with the latest updates (at least version 2020.2.1 HF 1) as soon as possible. This hotfix was released on Monday 14 December 2020; in addition, a second hotfix – 2020.2.1 HF 2 – is expected on Tuesday 15 December 2020.

This does, however, not mean that the problem is solved for parties where the malicious version has already been installed. If the malicious software is already active, then the chance exists that there has been question of unauthorised access to the infrastructure. As a result, malware may be spread throughout the network and additional actions are necessary! In the section ‘What can you do to prevent or limit potential damages?’ we provide a further explanation of this.

Detailed information about vulnerability

This malicious revision of the Orion software is present from version 2019.4 HF 5 up to version 2020.2.1. FireEye indicates the following about the functionality of the revised Orion software:

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

Potential risk

If a system has been provided with this revised software, then this can result in further attacks within the network. The SolarWinds Orion system could consequently be the first step in a larger attack. As a result, it becomes possible for the malicious entity behind this revision to move through the network with all fateful consequences.

Are my systems vulnerable?

From version 2019.4 HF 5 up to version 2020.2.1

What can you do to prevent or limit potential damages?

If SolarWinds Orion is being used within your organisation, then we recommend taking the following steps:

  1. Update SolarWinds Orion systems as soon as possible. If updating is not an option, then it is possible to make adjustments according to the guidelines of SolarWinds. volgens de guidelines van SolarWinds;
  2. Block all internet access for SolarWinds systems and isolate the system for further assessment;
  3. Change passwords of accounts that are used on Orion;
  4. Review recent changes that were made on network components
  5. Implement and monitor the new rules of FireEye as released via the monitoring system.
  6. Conduct a historical assessment of communication / connections with indicators from the information from FireEye. Communication with avsvmcloud[.]com is an indicator or compromise with an extremely high reliability.

At SOC customers of Tesorion, attacks on SUNBURST are detected via our network sensors.

In case of additional questions with regard to this vulnerability, potential doubts if a system was hit, or problems during the installation and/or configuration of the systems, you can always contact us.

If you suspect that you were affected by this vulnerability, then contact our T-CERT; they can help and assist you in the approach.