Trojanized SolarWinds Orion IT updates have been used since Spring 2020 to compromise a range of government and private sector targets, with the US today issuing a rare emergency directive that calls on "all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."
The Department of Homeland Security "is aware of cyber breaches across the federal government" it said "and working closely with our partners in the public and private sector on the federal response."
SolarWinds is a publicly listed US company that provides IT monitoring and management tools built for SysAdmins and network engineers. Its software is used for remote access to servers, workstations, and network equipment across a sweeping array of organisations and agencies. It offers granular visibility across everything from network traffic to applications.
Public contract data suggests it is in use at the State Department, Department of Defense and many other US gov't bodies. Among the UK users is the National Health Service. A sophisticated compromise of its update system meant multiple updates were trojanised (malware slipped in to them) then digitally signed from March - May 2020 and posted to the SolarWinds updates website. The malware activates in victim machines after laying dormant for two weeks, with command and control traffic designed to mimic normal SolarWinds API communications.
IOCs, details from FireEye here.
European governments, telcos and tech firms are also believed to have been hit in the campaign, which uses malware that hides its network traffic as the Orion Improvement Program (OIP) protocol and which "stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity".
Security firm FireEye - itself a victim -- said it is tracking the attackers as UNC2452 and that victims have included a wide range of "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East." The backdoor uses "multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers" it said in a detailed update, which notes that the campaign uses a previously unseen memory-only dropper
SolarWinds told customers early Monday: "SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
"We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
"We recommend taking the following steps related to your use of the SolarWinds Orion Platform. We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal... An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020."
US gov't: "Disconnect or power down SolarWinds Orion products immediately."
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. "[The directive is] intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
Microsoft added in its own update on the global campaign: "[Attackers are also using] administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts. Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate.
"Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization. Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application."
Former Facebook CISO Alex Stamos noted on Twitter: "There are dozens of companies that represent critical, systemic risk across the public and private sector and most of the 'security community' has interacted with none of them. The outside pressure that has pushed consumer IT to improve does not exist for most of IT... We need a deeper focus on security program maturity and transparency up and down the stack."
Regulators need to step in, he suggested, and policy makers also strengthen funding for defensive cybersecurity.
"If we had a liability carrot-and-stick approach, where these reviews were conducted by professional staff, penalties were applied by a competent regulator, and we had 400 public pages to read on the root causes in six months, other companies could learn and improve."