Security Alerts CISA releases emergency directive regarding active exploitation of SolarWinds Software

Monday, Dec 14, 2020

Executive Summary

The Cybersecurity and Infrastructure Agency (CISA) has released an emergency directive regarding the active exploitation of the SolarWinds Orion Platform, versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.

SolarWinds has released a security advisory here: https://www.solarwinds.com/securityadvisory

This exploitation has been attributed to a highly sophisticated, manual supply chain attack by an assumed Nation-state actor.
Users of SolarWinds Orion should immediately upgrade their platform to Orion Platform version 2020.2.1 HF 1.

If you are unable to upgrade immediately, SolarWinds has provided mitigation recommendations by installing Orion behind your firewall, disabling internet access to the platform, and limiting ports and connections to only what is necessary. In this situation, organizations should make updating the platform a top priority. Organizations utilizing Orion should also be on the lookout for an additional patch, 2020.2.1 HF2 anticipated to be released tomorrow – December 15th, 2020. This release replaces the compromised component and provides several additional security enhancements.

Originally brought to the attention of SolarWinds by FireEye, FireEye has released intelligence regarding this attack and attributing the activity to the threat actors of UNC2452. The attack utilizes a trojanized version of SolarWinds.Orion.Core.BusinessLayer.dll dubbed SUNBURST that contains a backdoor to connect to threat actors’ servers.

FireEye’s blog post on SUNBURST and the SolarWinds attack can be found here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Additionally, they have released signatures to detect this threat actor on their GitHub page found here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Nuspire is actively threat hunting in our client environments for any sign of compromise.

Recommendations

•    Organizations utilizing SolarWinds Orion should immediately update to 2020.2.1 HF1 and anticipate updating to 2020.2.1 HF 2 tomorrow: https://www.solarwinds.com/securityadvisory
•    Utilize FireEye signatures to threat hunt in your environment found here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html