Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

SolarWinds Orion Supply Chain

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach the systems of Texas-based IT management and monitoring solutions provider SolarWinds.

Specifically, the attackers compromised the build system for the company’s Orion monitoring product, which enabled them to deliver trojanized updates to the company’s customers for at least three months.

Latest NewsThe attackers delivered malware to possibly thousands of organizations, including cybersecurity firm FireEye (which broke the news about the attack) and various U.S. government organizations.

CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

SecurityWeek is covering all the new information that emerges and here you can find a summary of all articles on this topic, as well as other useful resources. This article will be regularly updated with new information.

News Coverage

SolarWinds Shares More Information on Cyberattack Impact, Initial Access Vector (05.10.2021) – SolarWinds shared more information on the impact of the breach and claimed that less than 100 of its customers were actually hacked.

US Expels Russian Diplomats, Imposes New Sanctions Over Hacking (04.15.2021) – The Biden administration announced the expulsion of 10 Russian diplomats and sanctions against nearly three dozen people and companies as it moved to hold the Russia accountable for interference in last year’s presidential election and the hacking of federal agencies.

Mimecast Says SolarWinds Hackers Stole Source Code (03.17.2021) – Mimecast has completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.

Advertisement. Scroll to continue reading.

Three New Malware Strains Linked to SolarWinds Hackers (03.05.2021) – Microsoft and FireEye detailed several new pieces of malware that they believe are linked to the hackers behind the SolarWinds supply chain attack 

Microsoft: SolarWinds Hackers Attempted to Access Our Systems Until January 2021 (02.19.2021) – Microsoft has completed its internal investigation into the SolarWinds attack and provides more information on the compromised source code and what the attackers were looking for.

Microsoft Believes 1,000 Hackers Involved in SolarWinds Attack (02.15.21) – Microsoft executive Brad Smith says more than a thousand software engineers were most likely involved in the SolarWinds attack, and that Microsoft tasked 500 engineers with investigating the attack. 

Many SolarWinds Customers Failed to Secure Systems Following Hack (02.15.21) – Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon.

Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers (02.05.2021) – In response to speculation that its services may have been leveraged as an initial entry point by the hackers who breached IT management firm SolarWinds, Microsoft said there was no evidence to back those claims.

White House Names SolarWinds Response Leader Amid Criticism (02.11.2021) – the White House announced Wednesday that a senior national security official had been leading the effort since the first day of the Biden administration.

China-Linked Hackers Exploited SolarWinds Flaw in U.S. Government Attack: Report (02.03.2021) – Hackers believed to be from China have exploited a vulnerability in a SolarWinds product as part of a campaign targeting at least one U.S. government agency.

CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds (02.01.2021) – CISA says many of the victims of the threat group that targeted SolarWinds were not directly linked to SolarWinds.

Hundreds of Industrial Organizations Received Sunburst Malware in SolarWinds Attack (01.27.2021) – Hundreds of industrial organizations have apparently received a piece of malware named Sunburst as part of the supply chain attack that hit IT management and monitoring firm SolarWinds last year.

More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack (01.26.2021) – Qualys, Mimecast and Fidelis Cybersecurity have been hit and possibly specifically targeted by the SolarWinds hackers.

Russian Hack of US Agencies Exposed Supply Chain Weaknesses (01.25.2021) – The attack on SolarWinds exposed supply chain vulnerabilities.

Biden Orders Intelligence Agencies to Assess SolarWinds Hack (01.22.2021) – U.S. President Joe Biden has instructed U.S. intelligence agencies to provide him with a detailed assessment of the SolarWinds hack.

Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers (01.21.2021) – Microsoft report detailing the activities and the methods of the threat actor behind the SolarWinds attack, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

Malwarebytes Targeted by SolarWinds Hackers (01.20.2021) – Malwarebytes revealed that it too was targeted by the hackers who breached the systems SolarWinds.

FireEye Releases New Open Source Tool in Response to SolarWinds Hack (01.19.2021) – FireEye Mandiant releases an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452.

SolarWinds Hackers Used ‘Raindrop’ Malware for Lateral Movement (19.01.2021) – SolarWinds hackers leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads.

SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale (01.13.2021) – Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach.

Mimecast Discloses Certificate Incident Possibly Related to SolarWinds Hack (01.13.2021) – Mimecast learned from Microsoft that one of its certificates was compromised, possibly by the SolarWinds hackers.

‘Sunspot’ Malware Used to Insert Backdoor Into SolarWinds Product in Supply Chain Attack (01.12.2021) – The threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.

Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group (01.11.2021) – Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla.

SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos (01.08.21) – SolarWinds has hired a new cybersecurity firm founded by former CISA Director, Chris Krebs, and Alex Stamos, former security chief at Facebook and Yahoo.

Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports (01.07.2021) – Cybersecurity companies and U.S. intelligence agencies are investigating the possible role played by a product from JetBrains in the recently discovered SolarWinds hack.

Justice Department Says It’s Been Affected by Russian Hack (01.06.2021) – The Justice Department says it was among the federal agencies harmed by the massive SolarWinds breach that U.S. officials have linked to Russia.

Class Action Lawsuit Filed Against SolarWinds Over Hack (01.06.2021) – A class action lawsuit has been filed on behalf of SolarWinds investors over the cybersecurity breach suffered by the Texas-based IT management solutions provider.

Hack of Federal Agencies ‘Likely Russian in Origin’, US Says (01.05.21) – Top national security agencies in a rare joint statement Tuesday confirmed that Russia was likely responsible for the massive “SolarWinds” hack that hit U.S. government departments and corporations.

Over 250 Organizations Breached via SolarWinds Supply Chain Hack: Report (01.04.21) – The recently disclosed attack targeting Texas-based IT management solutions provider SolarWinds resulted in threat actors gaining access to the networks of more than 250 organizations.

Microsoft Says ‘SolarWinds’ Hackers Viewed Internal Code (12.21.20) – Microsoft acknowledged Thursday that attackers who spearheaded a massive hack of government and private computer networks gained access to its internal source code.

New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds (12.28.2020) – A piece of malware named by researchers Supernova and a zero-day vulnerability exploited to deliver this malware indicate that SolarWinds may have been targeted by a second, unrelated threat actor.

SolarWinds Claims Execs Unaware of Breach When They Sold Stock (12.22.20) – SolarWinds told the SEC that its executives were not aware that the company had been breached when they decided to sell stock.

Cyberattack Hit Key US Treasury Systems: Senator (12.22.20) – Hackers broke into systems used by top US Treasury officials during a massive cyberattack on government agencies and may have stolen essential encryption keys, a senior lawmaker said Monday.

VMware, Cisco Reveal Impact of SolarWinds Incident (12.21.20) – VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.

Trump Downplays Russia in First Comments on Cyberattack (12.19.20) – Contradicting his secretary of state and other top officials, President Donald Trump on Saturday suggested without evidence that China — not Russia — may be behind the cyberattack against the United States and tried to minimized its impact.

Hacked Networks Will Need to be Burned ‘Down to the Ground’ (12.19.20) Experts say it’s going to take months to kick elite hackers widely believed to be Russian out of U.S. government networks. The only way to be sure a network is clean is “to burn it down to the ground and rebuild it,” expert Bruce Schneier said.

Pompeo Blames Russia for Massive US Cyberattack (12.19.20) – Russia was “pretty clearly” behind a devastating cyberattack on several US government agencies that also hit targets worldwide, Secretary of State Mike Pompeo said.

SolarWinds Likely Hacked at Least One Year Before Breach Discovery (12.18.20) – An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

Microsoft, Energy Department and Others Named as Victims of SolarWinds Attack (12.18.20) – Microsoft, the U.S. Energy Department and others have apparently also been targeted in the SolarWinds hack. An analysis of the SUNBURST malware DGA led to the discovery of 100 potential victims, and Microsoft claims to have also identified 40 of the hackers’ high-value targets. 

Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’ (12.17.20) CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales (12.17.20) – Few people were aware of SolarWinds, but the revelation that the company has been targeted by elite cyber spies has put many of its customers on high alert, and it’s raising questions about why its biggest investors sold off stock.

FBI, CISA, ODNI Describe Response to SolarWinds Attack (12.17.20) The FBI, CISA and ODNI have released a joint statement describing their roles in investigating and responding to the incident. The FBI is trying to find out who is behind the attack and disrupt their activities, and it has been working with victims to obtain useful information. CISA has issued an emergency directive instructing federal agencies to take steps to detect attacks, collect evidence and remove the attackers from their networks. ODNI is responsible for sharing information across the government and supporting the investigation by providing the intelligence community’s resources.

SolarWinds Removes Customer List From Site as It Releases Second Hotfix (12.16.20) – SolarWinds has released another patch for its Orion products. This second hotfix released in response to the attack not only provides additional security enhancements, but also replaces the compromised component. The company has also decided to remove from its website a page that listed many of its high-profile customers.

Killswitch Found for Malware Used in SolarWinds Hack (12.16.20) FireEye said the attackers leveraged the SolarWinds infrastructure to deliver a piece of malware named SUNBURST, and in the case of high-value targets a backdoor named Teardrop and a Cobalt Strike payload. An analysis of the malware revealed the existence of a domain that could be leveraged as a killswitch. FireEye, Microsoft and GoDaddy worked together to take control of the domain and disable SUNBURST deployments.

Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank (12.16.20) – After FireEye released IOCs, other cybersecurity firms linked the SolarWinds attack to previously analyzed campaigns. Volexity reported seeing an attack on a U.S. think tank where hackers used a novel method to bypass MFA and gain access to emails.

SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product (12.14.20) – SolarWinds has notified 33,000 customers of its Orion platform about the incident, but the company believes only up to 18,000 were actually impacted. The company said the attackers compromised its build system for Orion products, allowing them to deliver trojanized updates to customers between March and June 2020. The updates enabled the attackers to compromise the servers of organizations that received the malicious comproments.

Useful resources

• SolarWinds advisory (regularly updated)

• FireEye countermeasures

• FireEye analysis and IOC

• Emergency directive from CISA

• CISA’s Free Detection Tool for Azure/M365 Environment

• CrowdStrike Reporting Tool for Azure Active Directory – Helps organizations review excessive permissions in their Azure AD environments to help determine configuration weaknesses (free)

• Symantec analysis of the malware used in the attack

• Microsoft analysis of the attack and IOC

• SolarWinds Post-Compromise Hunting with Azure Sentinel

• List of potentially impacted organizations based on DGA analysis

SunBurst Hunter” (Github) – Provides a Python client into RiskIQ API services. Tool currently provides support for SSL Certificates, SSL Certificates history and Component history

• Responding to the SolarWinds Software Compromise in Industrial Environments (Dragos blog)

SolarWinds_Countermeasures tool from SentinelLabs – Designed to detect processes, services, and drivers that SUNBURST attempts to identify on the victim’s machine.

Mandiant Azure AD Investigator – open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.