SolarWinds, an IT software provider, recently announced that it was the victim of a cyberattack that inserted malware (code name SUNBURST) within their Orion Platform software. Following the announcement of the SolarWinds Orion compromise, the Department of Homeland Security released an advisory for mitigating the code compromise. Users were quick to point at high profile customers, and the problem got worse when the attackers got a foothold at these high profile customers and started spreading the attack. Fireeye announced that the attacker targeted and accessed their Red Team assessment tools that they use to test their customers’ security. Microsoft released a blog post explaining the sophisticated threat actor is focused on high-value targets such as government agencies and cybersecurity companies. Microsoft believes this is nation-state activity on a significant scale, aimed at both the government and private sector. The FBI, CISA, and ODNI issued a joint statement on the severity of the attack.
The root cause of the SolarWinds Orion compromise attack was a vulnerability in the following versions of SolarWinds Orion software:
- Orion Platform 2019.4 HF5, DLL version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, DLL version 2020.2.100.12219
- Orion Platform 2020.2 RC2, DLL version 2020.2.5200.12394
- Orion Platform 2020.2, DLL version 2020.2.5300.12432
- Orion Platform 2020.2 HF1, DLL version 2020.2.5300.12432
SolarWinds Orion Compromise Vulnerability Identification
The first step in managing risk from the SolarWinds Orion compromise is to identify all assets in your environment for the potential vulnerability. In Server Secure, this requires a simple search for CVE-2020-10148:
The Package Health view displays the status of all of the software packages on the server at the time of the most recent scan. If you want to view results from a different scan, click the Data as of drop-down to select a different date. By default, the data in the list is sorted by criticality.
The graphic summary displays the following information:
- Packages by Result: Displays the total count of software packages on the server by scan result and criticality:
- Vulnerable (critical)
- Vulnerable (non-critical)
- OK (no vulnerabilities detected)
You can click any part of the graphic or any count to filter the view according to your selection.
- Vulnerable Packages by Remote Exploitability: Displays the total count of vulnerable packages on the server according to how many of those vulnerabilities are remotely exploitable. You can click any part of the graphic or any count to filter the view according to your selection.
- CVEs by CVSS Severity: Displays the total count of CVEs on the server by CVSS v3 severity levels: Critical, High, Medium, and Low.
Vulnerability Mitigation for SolarWinds Orion Compromise
Affected systems should be fully rebuilt or upgraded to the latest version of SolarWinds Orion—at least version 2020.2.1HF2. DHS advises classifying your network into three categories and following guidance per category.
- Category 1 – Networks that do not, and never did, utilize the affected versions of SolarWinds Orion.
- Category 2 – Networks that utilize or utilized affected versions of SolarWinds Orion but have forensically demonstrated that, at most, only initial beaconing activity occurred, and the threat actor conducted no follow-on activity.
- Category 3 – Networks that utilized affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity.
After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed; there is further guidance here.
SolarWinds Orion Compromise Conclusion
The SolarWinds Orion compromise was sponsored by a sophisticated threat actor that is focused on high-value targets such as government agencies and cybersecurity companies. Experts believe this is nation-state activity on a significant scale, aimed at both the government and private sector. Organizations should immediately identify vulnerable assets and proceed with mitigations.