Alert Logic is actively researching an attack against SolarWinds that resulted in compromised versions of software updates for the SolarWinds Orion product being published on their official website. With this global intrusion campaign, the SolarWinds supply chain is being utilized to compromise victims with SUNBURST backdoor.
If you are using the SolarWinds Orion Platform software, it is recommended to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible. For more information about mitigation steps, refer to Recommendations for Mitigation below.
Alert Logic does not use any SolarWinds products and is not affected by this breach.
Vulnerability Description
On December 13, 2020, it was publicly announced that an APT style attack against SolarWinds resulted in compromised software builds for versions 2019.4 HF 5 through 2020.2.1 of the Orion Platform software, released between March 2020 and June 2020. This supply chain attack trojanizes SolarWinds Orion business software updates to distribute malware being called SUNBURST. Successful attacks have been recorded including post-compromise lateral movement and data theft. For more information from SolarWinds, refer to their Security Advisory.
In response to this breach, the Department of Homeland Security (DHS) issued Emergency Directive 21-01 with background and risk mitigatoin guidance. On December 17, the Cybersecurity and Infrastructure Security Agency (CISA) followed this directive with additional details in Alert AA20-352A.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic vulnerability scanning can detect SolarWinds installations and versions to identify vulnerable assets. Additionally, new unauthenticated scan coverage has been deployed to report "SolarWinds - Orion with SUNBURST Malware Supplychain issue" on compromised versions.
Network IDS: IDS signatures have been deployed by the Alert Logic Threat Intelligence team to enable efficient monitoring by the Alert Logic Security Operations Center. Alert Logic is actively researching this threat to determine whether additional IDS signatures can be developed to identify exploitation.
Web Application Firewall: Alert Logic is actively developing signatures to block attacks exploiting this vulnerability. This article will be updated once this coverage is deployed.
Log Management: Alert Logic is actively researching this threat to determine whether log coverage can detect attacks.
Recommendations for Mitigation
While SolarWinds’ primary recommendation is to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible, Alert Logic recommends following guidance provided by the DHS in Emergency Directive 21-01. General mitigation guidance is as follows:
- Check which version of SolarWinds Orion platform you are running. All versions from 2019.4 HF 5 through 2020.2.1 are compromised and contain backdoors. If you are not sure which version of the Orion Platform you are using, refer to SolarWinds’ directions on how to check your version.
- Forensically store all versions of SolarWinds Orion for breach analysis.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
- Treat all hosts monitored by SolarWinds Orion as compromised.
- Upgrade SolarWinds Orion to version 2020.2.1 HF 2. The latest version is available in the SolarWinds Customer Portal.
Updates
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
12/15/2020: A specific check has been deployed for unauthenticated vulnerability scanning to report ”SolarWinds – Orion with SUNBURST Malware Supplychain issue” on compromised versions.
Comments
1 comment
On December 15, 2020, Alert Logic deployed a specific check for unauthenticated vulnerability scanning to report ”SolarWinds – Orion with SUNBURST Malware Supplychain issue” on compromised versions.
Please sign in to leave a comment.