Fwd: [CIAD-2020-0084] SolarWinds Orion Backdoor Supply Chain Attack (Sunburst/ Solorigate)

Systems Affected

SolrWindsOrion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or

with 2020.2 HF 1, including:

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module (DPAIM)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

NetFlow Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SCM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

Overview

A highly sophisticated supply chain attack has been reported on the

SolarWinds' Orion IT monitoring and management software, resulted in

backdoor remote code execution and may further lead to lateral movement and

data theft.

Description

SolarWinds Orion Platform software builds have been reported to be part of

a sophisticated manual supply chain attack.

In this sophisticated supply chain attack, adversaries compromised updates

to the SolarWinds' Orion IT monitoring and management software,

specifically a component called 'SolarWinds.Orion.Core.BusinessLayer.dll'

in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were

posted on the SolarWinds' website from March to May 2020. This backdoor can

communicate to third party servers using HTTP and is able to execute

commands to transfer and execute files, profile the system, reboot the

machine, and disable system services. 

Note: It is reported that exploitation of this vulnerability is in the

wild.

Solution

Users with Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 need to

upgrade to Orion Platform version 2020.2.1 HF 1.

Users with Orion Platform v2019.4 HF 5 need to update to Orion Platform

version 2019.4 HF 6.   

Recommendations

Organisations are strongly advised to take additional measure like:

changing passwords of all accounts accessible to Orion servers

analysing all configuration for network devices managed by the Orion

platform for alteration.

Organisations should consider the impacts and applicability of these steps

on their specific network operations prior to implementing these

mitigations.

Vendor Information

References

SolarWinds

t/core-secure-configuration.htm

US CERT

on-solarwinds-software

FireEye

ages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

- -fireeye-red-team-tools.html

Microsoft

p-based-kerberoasting-with-azure-atp/ba-p/462448

on-state-cyber-attacks/