Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations.Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks.FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.SolarWinds: SolarWinds Security Advisory.
Upgrade to Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps.
Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure.Use the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other SIEM data to give a timeline perspective to any potential intrusion.Scan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst and Backdoor.WebShell.Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.As this story is still unfolding we will keep our customers informed of any newer developments. We do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security firm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. The Department of Homeland Security has issued an emergency directive to order all federal agencies to take immediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by Monday.
Among the victims who received the malicious update are FireEye, Microsoft and the US Treasury and Commerce departments, making this one of the biggest cyber incidents we have witnessed in years.
This scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on software that has already been trusted and that can be widely distributed at once. On December 13 there was a new development when IT company SolarWinds announced it had been hacked and that its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform customers. We learned more about the sophisticated attack first disclosed on December 8 when security firm FireEye reported it had been the victim of a state-sponsored adversary that stole Red Team assessment tools.