SolarWinds Data Breach Action Plan
Recently reported state-sponsored cyberattack (actors UNC2452) targeting U.S. interests in a widespread cyberespionage campaign has compromised SolarWinds’ Orion Network Management Products and poses risks to the security of federal and commercial networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to federal and civilian agencies to review their networks for suspicious activity and to disconnect or power down SolarWinds Orion product immediately.
SolarWinds’ networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies and education institutions. It services major U.S. telecommunications companies, all five branches of the U.S. military, and other prominent government organizations, including the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.
SolarWinds Orion IT monitoring and management software SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third part servers. Set up as a supply chain attack, the event took advantage of trojanized SolarWinds Orion business software updates to distribute a backdoor called SUNBURST. A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. Cybercriminals tamper with the manufacturing process of a product by installing a rootkit or hardware-based spying component.
FireEye also recently announced its own investigation into a breach of its network to allow for the widespread distribution of SUNBURST by again hiding it in legitimate updates of SolarWinds’ Orion network management technology. FireEye is a cybersecurity company that provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.
Thought to have been months in the making, beginning in as early as Spring 2020, this campaign is still currently ongoing. Post compromise activity following this supply chain compromise is proving to include lateral movement and data theft. What makes this even more of an embedded risk is that a malicious software class was included among otherwise legitimate classes and then signed into a legitimate certificate. This infected version of SolarWinds Orion plug-in pretends to be the Orion Improvement Program (OIP) protocol and store reconnaissance results within legitimate plugin configuration files allowing it to blend in with the legitimate SolarWinds activity. The trojan, after an initial dormant period of up to two weeks, begins to retrieve and execute commands, called “Jobs” that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. OIP is primarily used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.
SUNBURST is a first stage trojan so that attackers can manipulate to drop additional payloads for escalating privileges, lateral movement, and data theft on infected networks. The trojanized update file appears to be your standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once this update is installed, the malicious DLL is loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on the system configuration). A list of known malicious infrastructure is available on FireEye’s GitHub page.
FireEye also recently disclosed that they have fallen victim to the cyberattack that has compromised its software tools used to test the defenses of its customers. The stolen Red Team tools, totaling in as many as 60 in number, are a mix of publicly available tools (43%), modified version of publicly available tools (17%), and those that were developed in-house (40%).
Since the breach was disclosed, Microsoft and numerous other vendors of malware detection tools have also added signatures for the malicious DLL that FireEye observed was being used to distribute SUNBURST.
The White House National Security Council (NSC) announced that a Unified Coordination Group (UCG) has been established to ensure a coordinated federal agency response to the threat. The Presidential Policy Directive—41 (PPD-41) process is to facilitate continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate and respond to this event.
Additionally, the DHS’s CISA issued its emergency directive AA20-352A ordering all federal civilian agencies to immediately power off and disconnect instances of SolarWinds Orion. It also provides new mitigation guidance and revises the indicators of compromise table. Lastly, it includes a downloadable STIX file of the IOCs. In addition, CISA released supplemental guidance to Emergency Directive (ED) 21-01, providing new information on affected versions, new guidance for agencies using third-party service providers, and additional clarify on required actions.
CISA is encouraging users and administrators to review the following resources for additional information on the SolarWinds Orion compromise:
- CISA Emergency Directive 21-01 - Supplemental Guidance v.1
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- CISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
SolarWinds Releases Security Advisory
In its security advisory, SolarWinds states that the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software released between March and June 2020. It calls for users to immediately upgrade to Orion Platform release 2020.2.1 HF 1 immediately.
SolarWinds also released an additional hotfix, 2020.2.1 HF 2 on December 15th to replace the compromise component as well as several extra security enhancements.
FireEye’s analysis of SUNBURST has shown that the malware can be prevented from operating under specific conditions. The killswitch is effective against new and previous SUNBURST deployments that might still be “beaconing out” to avsvmcloud dot com, the location of the malware’s command and control server.
SolarWinds Orion Cyberattack and Financial Institutions
As of now, according to the Financial Services Information Sharing and Analysis Center, a network of financial firms sharing information about cyber threats, there has not been significant focus on the financial sector, nor have there been reports indicative of negative impacts amongst the financial services industry. FS-ISAC has been continuously monitoring and providing strategic and tactical reports detailing the attack vectors and offering best practices to mitigate risk. But this is not a guarantee and banks need to remain vigilant in monitoring the supply chain attack on the SolarWinds Orion Platform and subsequent customer breaches.
The Treasury Department is seeking feedback from financial institutions that have run the compromised SolarWinds Orion systems at OCCIP-Coord@treasury.gov or anonymously through FS-ISAC at email@example.com.
The Action Plan is advisory in nature and is not intended to be legal advice. Financial institutions need to be assessing their own unique vulnerabilities and response plans. Consult with legal counsel, Vendor Management and an IT/IS professional as well as competent third-party vendors on any additional next steps. Click here to download the Action Plan.