Under Attack? Contact Us Start a Free Demo
Under Attack? Contact Us Start a Free Demo
,
Morgan Fitzgerald
13 July 2022

SolarWinds Orion Vulnerability (CVE-2020-10148) Explained

Summary:

During the SolarWinds hack (CVE-2020-10148), thousands of organizations, including the U.S. government, were affected, not only because a single company was breached but because it triggered a broader supply chain incident. There was a supply chain breach involving the SolarWinds Orion system, commonly called the SolarWinds hack. The Orion network management system is used by more than 30,000 public and private organizations, including local, state, and federal government agencies. SolarWinds delivered the backdoor malware as part of an update for the Orion software, which compromised thousands of data, networks, and systems.

According to FireEye, over 16 known CVEs were exploited to test and validate the security postures of client environments on December 8, 2020. According to FireEye, the theft was made possible through a malicious version of SolarWinds Orion software. The Department of Homeland Security has enacted an emergency directive requesting all federal agencies take immediate action to mitigate the impacts of the stolen FireEye Red Team tools and SolarWinds Orion applications. Additionally, they strongly recommend that commercial organizations follow the same guidelines.

As a result of two vulnerabilities, known as SUNBURST and SUPERNOVA, SolarWinds Orion was initially compromised.

  • SUNBURST: SolarWinds supply chain attack is primarily based on the SUNBURST vulnerability. This vulnerability affects SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. Attackers can compromise the Orion Platform server when the vulnerability is active.
  • SUPERNOVA: The SUPERNOVA malware was not distributed through the SolarWinds build process as a supply chain attack, but through a vulnerability in the Orion product.

How it works?

The hackers used a supply chain attack to insert malicious code into the Orion system. As opposed to directly hacking an organization’s network, a supply chain attack targets a third party who has access to its systems.  By using third-party software, such as SolarWinds Orion Platform, hackers can gain access and impersonate users and accounts of victim organizations. Antivirus software could not detect the malware since it could access system files and blend in with legitimate SolarWinds activity. As a result of this type of supply chain attack, SolarWinds was an ideal target. Having installed the malicious code into a new batch of software distributed by SolarWinds as an update or patch, the hackers could gain access to many multinational companies and government agencies that use their Orion software.

The following is a timeline illustrating the original SolarWinds Orion hack, FireEye’s discovery of the hacker activity, SolarWinds’ response to the attack, and the U.S. government’s response:

1.    A breach of SolarWinds’ network occurred on September 1, 2019.

2.    Threat actors tested the first code injection into Orion in October 2019

3.    The Sunburst malware was injected into Orion on February 20, 2020.

4.    A malicious update was sent out unknowingly by SolarWinds Orion on March 26, 2020

A vulnerability in SolarWinds Orion (with Web Console WPM 2019.4.1 and Orion Platform HF4 or HF2 2019.4) allows remote attackers to gain access to the victim’s entire network infrastructure by activating a defined event, which is triggered when a user downloads a compromised update.

As a result, the malware communicates back to the attackers via legitimate domains previously purchased by the attackers and have been lying dormant. As a result, the attackers can evade defenses designed to detect suspicious traffic. Once SUNBURST is installed, it can transfer and execute files, profile the system, reboot the machine, and disable system services. Backdoors masquerade as the Orion Improvement Program (OIP) protocol and steal the information in legitimate plugin configuration files.

Impact:

The primary concern is that attackers have continued access to your network. The SolarWinds attack effectively allowed attackers to move freely throughout the compromised network, allowing them to commit malicious acts. In the event of a SolarWinds breach, a hacker can install a backdoor, granting them continued access to your systems. Due to unauthorized access to networks that likely held sensitive information, the confidentiality of sensitive data is already compromised. In addition to the loss of personal data and future access to your systems, the severity of this attack will spur a significant revision to federal cybersecurity policy that will impact all levels of business.

The implications of this are evident, but the full extent of the attack remains unknown. It may take several months for impacted companies to uncover the full extent of the attack. This is because they are conducting comprehensive investigations to uncover what data and systems were compromised. It is clear from the level of sophistication demonstrated and the evidence uncovered that the attacker was a foreign nation-state.

SolarWinds attack on US national infrastructure has highlighted the urgent need to address gaps in US cybersecurity. It will result in sweeping federal regulations to ensure companies and agencies do their utmost to protect against future attacks. US tech companies will be burdened with a substantial amount of time and money, which will be passed on to smaller companies and consumers.

Mitigation:

SolarWinds Orion vulnerabilities, SUNBURN Trojan detections, and FireEye Red Team tools require organizations to quickly assess the state of these vulnerabilities and missing patches across all their assets.

  • All above vulnerabilities should be immediately patched across all affected assets.
  • Turn off SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, until the patch has been applied.
  • To reduce the impact, apply security hygiene controls to the impacted software and operating system.
  • Check for the existence of the following files:

i)       [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]

ii)     [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

  • It is essential to remove these indicators of compromise and the parent processes involved in their creation.
  • Limit the scope of connectivity to SolarWinds servers until further investigation has been completed.

Additional Recommendations

1)    Systems that have been affected should be reimagined and rebuilt

2)    Bringing all SolarWinds-managed network infrastructure up to date with previous known good versions of firmware

3)    User credentials, SNMP, SSH keys, certificates, and SNMP keys are reset across the enterprise, and multi-factor authentication (MFA) is enforced

4)    All affected systems will be configured in a hardened manner

5)    Make sure your environment is secure by changing your passwords.

How to Defend Your Network from Zero-Day Vulnerabilities

Cyber security threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Tags

CISO CISO Viewpoint Cybersecurity 101 Digital Forensics EDR NEWS Red Teaming Threat Intel & Research ThreatResponder

Featured Articles

ThreatResponder

Why Cyber Attacks are Increasing in 2024? How Can You Stay Protected

19 April 2024
Threat Intel & Research ThreatResponder

Defending Against Volt Typhoon: A State-Sponsored Stealthy Threat to Critical Infrastructure

6 April 2024
Threat Intel & Research ThreatResponder

Prevent Phobos Ransomware Attacks with ThreatResponder

5 April 2024
ThreatResponder

ThreatResponder, an AI-based Integrated Endpoint Security Solution Launched in South Korea

14 March 2024
ThreatResponder

Growing Chinese Threat To U.S. Cyber Security: How to Protect Your Business?

8 February 2024
Threat Intel & Research ThreatResponder

5 Cybersecurity Predictions for 2024

16 December 2023
CISO CISO Viewpoint

ThreatResponder: CISO’s Trusted Partner in Preventing Cyber Incidents

22 September 2023

TRY ThreatRESPONDER

Stop Advanced Cyber Attacks, Data Breaches, and Insider Threats

Start a Free Demo

Related Articles

CISO CISO Viewpoint

Why CISO’s are choosing ThreatResponder over others?

Morgan Fitzgerald
19 March 2024
CISO CISO Viewpoint

Top 10 Challenges Redefining the CISO’s Role in 2024

Morgan Fitzgerald
8 January 2024
CISO CISO Viewpoint Threat Intel & Research

Russia-Ukraine War: How Geopolitical Storm is Impacting Your Cybersecurity in 2023?

Morgan Fitzgerald
26 September 2023
Close

Computer Forensics Investigation

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed vulputate velit mi, non hendrerit justo varius ac. Cras gravida, dolor vel pulvinar tempus, erat massa facilisis tortor, in lobortis dui arcu at ligula. Nunc consequat arcu non lobortis eleifend. Vestibulum vel metus finibus, semper nunc nec, tristique felis. Donec auctor vestibulum sapien. Mauris tristique eget metus in vulputate. Etiam nec tempor odio. Praesent quis commodo metus, eu fringilla ipsum. Fusce quis aliquam mauris, vel sollicitudin ex. Praesent sed imperdiet sapien, vitae interdum turpis. Cras mollis nisi at lorem eleifend viverra at vitae est. Mauris luctus sem in arcu pharetra suscipit. Aliquam id eleifend elit, in ullamcorper neque. Nam gravida urna et ipsum fringilla lobortis. Vivamus eget fermentum purus. Duis est nulla, interdum sed iaculis eu, ultrices a arcu. Donec commodo, diam