Suspected state hackers have succeeded in compromising SolarWind’s Orion platform and smuggled a Trojan into official updates. SolarWinds sells network and security products that are more than 300. 000 customers worldwide. These include many Fortune 500 companies, government agencies such as the U.S. military, the Pentagon, and the State Department.

In the past few months, attackers were apparently able to successfully break into several US departments and agencies and remove files from the victims’ IT systems. There are also indications that they are infiltrating Microsoft 329 installations and the victims’ e-mail traffic for months could read along undetected. It appears to be the same group of hackers that is responsible for the cyber attack on the US security company FireEye.

The backdoor in SolarWinds Orion In the meantime, FireEye has discovered that there has been a supply chain attack on the supply chain for SolarWinds Orion platform. The attackers succeeded in smuggling a Trojan horse called Sunburst into an update, which SolarWinds then distributed for the Orion business software. How the attackers got into the SolarWinds network and manipulated the Orion software there is still unclear.

The file with the trojan has a valid digital signature of the manufacturer.

(Image: FireEye)

The Trojan horse infiltrated in the update acts on affected systems like a backdoor that communicates with Command & Control (C&C) servers, reloads modules, files can execute and exchange data. It is also possible to end system services or restart the system. The malware uses multiple obfuscated blocklists to identify forensic and antivirus tools running as processes, services, and drivers. In this way, the attackers managed to remain undetected in the systems of the authorities for months.

In this context, FireEye observes a large-scale and UNC 2452 baptized campaign of cyber attacks, which is directed against authorities and companies. The gateway is always the sunburst malware with which the SolarWinds Orion platform was infected via updates. After an initial dormant phase of up to two weeks, the Trojan gets commands from the C&C servers and starts investigating the compromised system.

Warnings from CISA and SolarWinds On the occasion of the cyber attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) on 13. December 2020 the emergency policy 21 – 01. This calls on US authorities who use SolarWinds products to analyze them using forensic methods and to block all network traffic to addresses outside the organization. Authorities without the appropriate expertise should immediately shut down the products because of a possible compromise.

SolarWinds has also issued a security notice that confirms that an attack on the Orion Platform software builds of the versions 2019. 4 HF 5 to 2020. 2.1 gave. These software versions were released between March 2020 and June 2020 and are infected by the Sunburst malware.

The manufacturer therefore recommends upgrading to the Orion Platform version as soon as possible 2020. 2.1 HF 1 update to ensure the safety of the environment. The latest version is available on the SolarWinds customer portal. Whether a simple update of the Orion platform is enough to eliminate an infection, however, is doubtful in view of the complex circumstances. Anyone who has used the compromised software builds cannot avoid a review and forensic analysis of the affected systems.

Microsoft publishes customer guidelines Microsoft also documents the current state of knowledge in a blog post. Administrators of affected customers can be found in the Microsoft Security Response Center on Sunday (13. December 2020) issued customer guide on the most recent, state-supported cyberattacks detail and information on security issues related to infection. This is how possible hash values ​​of compromised versions of the SolarWinds.Orion.Core.BusinessLayer.dll file are named. Incidentally, Microsoft Defender Antivirus recognizes from version 1. 329. 3680 of the signature files the malware as Trojan: MSIL / Solorigate.B! dha.

(ju)