Cybersecurity Threat Advisory: SolarWinds Orion Backdoor
Posted on December 15, 2020 by Mike Beagles
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory Overview
SolarWinds Orion, a prominent information technology (IT) monitoring and management solution, has been compromised via a backdoor generated by a sophisticated state-sponsored cyberattacker. The application has been discovered communicating with unknown third-party servers through traffic deliberately designed to mimic normal activity. This compromise is highly sophisticated and affects many public and private organizations across the world. Any organization that utilizes SolarWinds Orion should follow the steps provided by the Cybersecurity and Infrastructure Security Agency (CISA) later in this article to contain and remediate any potential issues.
Technical Detail and Additional Information
What is the threat?
A vulnerability has been discovered in SolarWinds Orion, one of the most recognizable names in IT monitoring and management. It appears that the malicious state-sponsored cyberattackers temporarily being referred to as UNC2452 have compromised Orion via a backdoor that is being referred to as Sunburst. This supply-chain attack has compromised Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. This compromised plugin turned Orion into a backdoor that was found communicating via Hypertext Transfer Protocol (HTTP) to unknown third-party servers, potentially allowing the attackers to penetrate highly secure networks across the globe. At this time, the campaign has affected public and private organizations worldwide and does not appear to be targeted.
Why is this noteworthy?
SolarWinds has said its technology is utilized by many facets of the U.S. government, such as the Pentagon, every branch of the military, the Postal Service, and even the Office of the President. At this time, it does not appear that this attack was targeted, but the activity has been tentatively linked to a group known as APT29, which is associated with the Russian Foreign Intelligence Service. Orion was compromised as part of a supply-chain attack, whereby attackers target a less-secure element of business operations to gain a foothold. By compromising this link in the supply chain, the attackers now have access to systems that were more difficult to attack directly.
What is the exposure?
The potential exposure stemming from this compromise is significant simply due to the nature and number of users that this incident has compromised. Any organizations that have installed the malicious Orion update stemming back to Spring 2020, at least, have had their systems compromised with this backdoor. The compromised system will, after an initial dormant period, attempt to connect to a command and control (C&C) server, which is carefully constructed to mimic normal SolarWinds communications. The exact nature of how this backdoor is being exploited has not been disclosed, but a cyberattacker having undetected remote access to the networks of governments and major organizations across the world can cause sizable damage.
What are the recommendations?
SolarWinds has announced that it plans to release a new update (2020.2.1 HF 2) on Tuesday, December 15, which “replaces the compromised component and provides several additional security enhancements.” At this time, CISA has released an emergency directive with detailed instructions regarding how to detect and mitigate damage from the Sunburst malware; a link to this directive can be found below. Mission Critical Partners also has added the indicators of compromise (IOCs) associated with this breach to our threat intelligence, and our security operations center (SOC) actively is monitoring for them.
For more in-depth information about the recommendations, please visit the following links:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
- https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
- https://cyber.dhs.gov/ed/21-01/
- https://github.com/fireeye/sunburst_countermeasures
Mike Beagles has specialized experience with supporting mission critical communications agencies by providing technical expertise, strategic IT planning, and architecting both on-prem and shared systems for new and innovative technologies as well as legacy solutions. He currently manages the platform and suite of tools used to deliver MCP network and cybersecurity monitoring to our clientele.
Topics: Public Safety, Cybersecurity, IT and Network Support, Utilities, Law Enforcement, Continuity of Operations and Disaster Recovery, Criminal Justice, 911 and Emergency Communications Centers, Fire and EMS, Smart and Safe Cities