As reported approximately 2 weeks ago, the US Government and thousands of public and private sector organizations around the world had their networks and data systems breached in a massive attack believed to be conducted by a Russian intelligence group calling itself Cozy Bear.

Initial Discovery of SolarWinds Breach

The attack was discovered by cybersecurity company, FireEye, who upon learning they had been breached, immediately set about investigating how the attackers go past its defenses. They discovered the attack to SolarWinds Orion network monitoring software and the malware was distributed as a software update as far back as March 2020.

In a December 14 SEC filing, SolarWinds said that of its more than 300,000 customers, they believed that less approximately 18,000 entities may have downloaded the Orion update during the March-June 2020 timeframe, which likely included the malware.  This could be the most successful software supply chain attack in history.

Supply Chain Malware named Sunburst / Solorigate

A supply chain attack occurs when someone intrudes your system through an outside partner or provider with access to your systems and data, in this case, a software update. This attack can affect all of the supplier’s customers.  

The malware, now known as Sunburst, also referred to as Solorigate by Microsoft, once installed in a system, remained quiet for a couple of weeks. Solorigate operated stealthily and exfiltrated valuable intellectual property, confidential and proprietary data, emails, and other valuable information from victims’ systems. 

 Solorigate supply chain attack 

Source: Microsoft

In a report published by Microsoft, the goal of the SolarWinds hackers was to enter companies' networks through the tainted Orion update then escalate their access to their victims' local networks, and finally, the victims' cloud-based environments, where most of the sensitive data was being stored.

Who Uses SolarWinds?

Or better yet, who does not use SolarWinds? They are one of, if not the, Network Management System. SolarWinds has over 300,000 big-time customers, much of the US Federal government including the Department of Defense, 425 of the US Fortune 500, and many more customers worldwide.

Microsoft’s analysis identified more than 40 customers that the attackers targeted. The great majority of those were in the US (80%), but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, think tanks, and non-governmental organizations. It’s certain that the number and location of victims will keep growing.

SolarWinds Response

In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update. SolarWinds Security Advisory on this matter is published on their website. Click here for their list of Frequently Asked Questions on this matter.

Source: SolarWinds

Cybersecurity and Infrastructure Security Agency’s (CISA) Guidance for Government Agencies: Update Now

CISA in a recent update said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by close of business December 31, 2020. Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18.

If you are using SolarWinds software, please refer to the company’s guidance here to check for vulnerable versions and patch information. 

Teknologize is a Managed Service Provider with offices located in the Tri-Cities and Yakima, Washington, 509-396-6640 and Bend, Oregon 541.848.6072.