Under Attack? Contact Us Start a Free Demo

SolarWinds Orion Vulnerability (CVE-2020-10148) Explained

Summary:

During the SolarWinds hack (CVE-2020-10148), thousands of organizations, including the U.S. government, were affected, not only because a single company was breached but because it triggered a broader supply chain incident. There was a supply chain breach involving the SolarWinds Orion system, commonly called the SolarWinds hack. The Orion network management system is used by more than 30,000 public and private organizations, including local, state, and federal government agencies. SolarWinds delivered the backdoor malware as part of an update for the Orion software, which compromised thousands of data, networks, and systems.

According to FireEye, over 16 known CVEs were exploited to test and validate the security postures of client environments on December 8, 2020. According to FireEye, the theft was made possible through a malicious version of SolarWinds Orion software. The Department of Homeland Security has enacted an emergency directive requesting all federal agencies take immediate action to mitigate the impacts of the stolen FireEye Red Team tools and SolarWinds Orion applications. Additionally, they strongly recommend that commercial organizations follow the same guidelines.

As a result of two vulnerabilities, known as SUNBURST and SUPERNOVA, SolarWinds Orion was initially compromised.

  • SUNBURST: SolarWinds supply chain attack is primarily based on the SUNBURST vulnerability. This vulnerability affects SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. Attackers can compromise the Orion Platform server when the vulnerability is active.
  • SUPERNOVA: The SUPERNOVA malware was not distributed through the SolarWinds build process as a supply chain attack, but through a vulnerability in the Orion product.

How it works?

The hackers used a supply chain attack to insert malicious code into the Orion system. As opposed to directly hacking an organization’s network, a supply chain attack targets a third party who has access to its systems.  By using third-party software, such as SolarWinds Orion Platform, hackers can gain access and impersonate users and accounts of victim organizations. Antivirus software could not detect the malware since it could access system files and blend in with legitimate SolarWinds activity. As a result of this type of supply chain attack, SolarWinds was an ideal target. Having installed the malicious code into a new batch of software distributed by SolarWinds as an update or patch, the hackers could gain access to many multinational companies and government agencies that use their Orion software.

The following is a timeline illustrating the original SolarWinds Orion hack, FireEye’s discovery of the hacker activity, SolarWinds’ response to the attack, and the U.S. government’s response:

1.    A breach of SolarWinds’ network occurred on September 1, 2019.

2.    Threat actors tested the first code injection into Orion in October 2019

3.    The Sunburst malware was injected into Orion on February 20, 2020.

4.    A malicious update was sent out unknowingly by SolarWinds Orion on March 26, 2020

A vulnerability in SolarWinds Orion (with Web Console WPM 2019.4.1 and Orion Platform HF4 or HF2 2019.4) allows remote attackers to gain access to the victim’s entire network infrastructure by activating a defined event, which is triggered when a user downloads a compromised update.

As a result, the malware communicates back to the attackers via legitimate domains previously purchased by the attackers and have been lying dormant. As a result, the attackers can evade defenses designed to detect suspicious traffic. Once SUNBURST is installed, it can transfer and execute files, profile the system, reboot the machine, and disable system services. Backdoors masquerade as the Orion Improvement Program (OIP) protocol and steal the information in legitimate plugin configuration files.

Impact:

The primary concern is that attackers have continued access to your network. The SolarWinds attack effectively allowed attackers to move freely throughout the compromised network, allowing them to commit malicious acts. In the event of a SolarWinds breach, a hacker can install a backdoor, granting them continued access to your systems. Due to unauthorized access to networks that likely held sensitive information, the confidentiality of sensitive data is already compromised. In addition to the loss of personal data and future access to your systems, the severity of this attack will spur a significant revision to federal cybersecurity policy that will impact all levels of business.

The implications of this are evident, but the full extent of the attack remains unknown. It may take several months for impacted companies to uncover the full extent of the attack. This is because they are conducting comprehensive investigations to uncover what data and systems were compromised. It is clear from the level of sophistication demonstrated and the evidence uncovered that the attacker was a foreign nation-state.

SolarWinds attack on US national infrastructure has highlighted the urgent need to address gaps in US cybersecurity. It will result in sweeping federal regulations to ensure companies and agencies do their utmost to protect against future attacks. US tech companies will be burdened with a substantial amount of time and money, which will be passed on to smaller companies and consumers.

Mitigation:

SolarWinds Orion vulnerabilities, SUNBURN Trojan detections, and FireEye Red Team tools require organizations to quickly assess the state of these vulnerabilities and missing patches across all their assets.

  • All above vulnerabilities should be immediately patched across all affected assets.
  • Turn off SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, until the patch has been applied.
  • To reduce the impact, apply security hygiene controls to the impacted software and operating system.
  • Check for the existence of the following files:

i)       [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]

ii)     [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

  • It is essential to remove these indicators of compromise and the parent processes involved in their creation.
  • Limit the scope of connectivity to SolarWinds servers until further investigation has been completed.

Additional Recommendations

1)    Systems that have been affected should be reimagined and rebuilt

2)    Bringing all SolarWinds-managed network infrastructure up to date with previous known good versions of firmware

3)    User credentials, SNMP, SSH keys, certificates, and SNMP keys are reset across the enterprise, and multi-factor authentication (MFA) is enforced

4)    All affected systems will be configured in a hardened manner

5)    Make sure your environment is secure by changing your passwords.

How to Defend Your Network from Zero-Day Vulnerabilities

Cyber security threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).