Security Experts:

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

SolarWinds Orion Supply Chain

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach the systems of Texas-based IT management and monitoring solutions provider SolarWinds.

Specifically, the attackers compromised the build system for the company’s Orion monitoring product, which enabled them to deliver trojanized updates to the company’s customers for at least three months.

Latest NewsThe attackers delivered malware to possibly thousands of organizations, including cybersecurity firm FireEye (which broke the news about the attack) and various U.S. government organizations.

CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

SecurityWeek is covering all the new information that emerges and here you can find a summary of all articles on this topic, as well as other useful resources. This article will be regularly updated with new information.

News Coverage

Russian Hack of US Agencies Exposed Supply Chain Weaknesses (01.25.2021) - The attack on SolarWinds exposed supply chain vulnerabilities.

Biden Orders Intelligence Agencies to Assess SolarWinds Hack (01.22.2021) - U.S. President Joe Biden has instructed U.S. intelligence agencies to provide him with a detailed assessment of the SolarWinds hack.

Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers (01.21.2021) - Microsoft report detailing the activities and the methods of the threat actor behind the SolarWinds attack, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).

Malwarebytes Targeted by SolarWinds Hackers (01.20.2021) - Malwarebytes revealed that it too was targeted by the hackers who breached the systems SolarWinds.

FireEye Releases New Open Source Tool in Response to SolarWinds Hack (01.19.2021) - FireEye Mandiant releases an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452.

SolarWinds Hackers Used 'Raindrop' Malware for Lateral Movement (19.01.2021) - SolarWinds hackers leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads.

SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale (01.13.2021) - Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach.

Mimecast Discloses Certificate Incident Possibly Related to SolarWinds Hack (01.13.2021) - Mimecast learned from Microsoft that one of its certificates was compromised, possibly by the SolarWinds hackers.

'Sunspot' Malware Used to Insert Backdoor Into SolarWinds Product in Supply Chain Attack (01.12.2021) - The threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.

Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group (01.11.2021) - Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla.

SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos (01.08.21) SolarWinds has hired a new cybersecurity firm founded by former CISA Director, Chris Krebs, and Alex Stamos, former security chief at Facebook and Yahoo.

Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports (01.07.2021) - Cybersecurity companies and U.S. intelligence agencies are investigating the possible role played by a product from JetBrains in the recently discovered SolarWinds hack.

Justice Department Says It's Been Affected by Russian Hack (01.06.2021) - The Justice Department says it was among the federal agencies harmed by the massive SolarWinds breach that U.S. officials have linked to Russia.

Class Action Lawsuit Filed Against SolarWinds Over Hack (01.06.2021) - A class action lawsuit has been filed on behalf of SolarWinds investors over the cybersecurity breach suffered by the Texas-based IT management solutions provider.

Hack of Federal Agencies 'Likely Russian in Origin', US Says (01.05.21)Top national security agencies in a rare joint statement Tuesday confirmed that Russia was likely responsible for the massive "SolarWinds" hack that hit U.S. government departments and corporations.

Over 250 Organizations Breached via SolarWinds Supply Chain Hack: Report (01.04.21) - The recently disclosed attack targeting Texas-based IT management solutions provider SolarWinds resulted in threat actors gaining access to the networks of more than 250 organizations.

Microsoft Says 'SolarWinds' Hackers Viewed Internal Code (12.21.20) - Microsoft acknowledged Thursday that attackers who spearheaded a massive hack of government and private computer networks gained access to its internal source code.

New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds (12.28.2020) - A piece of malware named by researchers Supernova and a zero-day vulnerability exploited to deliver this malware indicate that SolarWinds may have been targeted by a second, unrelated threat actor.

SolarWinds Claims Execs Unaware of Breach When They Sold Stock (12.22.20) - SolarWinds told the SEC that its executives were not aware that the company had been breached when they decided to sell stock.

Cyberattack Hit Key US Treasury Systems: Senator (12.22.20) - Hackers broke into systems used by top US Treasury officials during a massive cyberattack on government agencies and may have stolen essential encryption keys, a senior lawmaker said Monday.

VMware, Cisco Reveal Impact of SolarWinds Incident (12.21.20)VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.

Trump Downplays Russia in First Comments on Cyberattack (12.19.20) Contradicting his secretary of state and other top officials, President Donald Trump on Saturday suggested without evidence that China — not Russia — may be behind the cyberattack against the United States and tried to minimized its impact.

Hacked Networks Will Need to be Burned 'Down to the Ground' (12.19.20) - Experts say it’s going to take months to kick elite hackers widely believed to be Russian out of U.S. government networks. The only way to be sure a network is clean is “to burn it down to the ground and rebuild it,” expert Bruce Schneier said.

Pompeo Blames Russia for Massive US Cyberattack (12.19.20)Russia was "pretty clearly" behind a devastating cyberattack on several US government agencies that also hit targets worldwide, Secretary of State Mike Pompeo said.

SolarWinds Likely Hacked at Least One Year Before Breach Discovery (12.18.20) - An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.

Microsoft, Energy Department and Others Named as Victims of SolarWinds Attack (12.18.20) - Microsoft, the U.S. Energy Department and others have apparently also been targeted in the SolarWinds hack. An analysis of the SUNBURST malware DGA led to the discovery of 100 potential victims, and Microsoft claims to have also identified 40 of the hackers' high-value targets. 

Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing 'Grave Risk' (12.17.20) - CISA says it has evidence of additional initial access vectors, other than SolarWinds’ Orion platform, but the agency is still investigating and it has not shared other information.

Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales (12.17.20)Few people were aware of SolarWinds, but the revelation that the company has been targeted by elite cyber spies has put many of its customers on high alert, and it’s raising questions about why its biggest investors sold off stock.

FBI, CISA, ODNI Describe Response to SolarWinds Attack (12.17.20) - The FBI, CISA and ODNI have released a joint statement describing their roles in investigating and responding to the incident. The FBI is trying to find out who is behind the attack and disrupt their activities, and it has been working with victims to obtain useful information. CISA has issued an emergency directive instructing federal agencies to take steps to detect attacks, collect evidence and remove the attackers from their networks. ODNI is responsible for sharing information across the government and supporting the investigation by providing the intelligence community’s resources.

SolarWinds Removes Customer List From Site as It Releases Second Hotfix (12.16.20)SolarWinds has released another patch for its Orion products. This second hotfix released in response to the attack not only provides additional security enhancements, but also replaces the compromised component. The company has also decided to remove from its website a page that listed many of its high-profile customers.

Killswitch Found for Malware Used in SolarWinds Hack (12.16.20) - FireEye said the attackers leveraged the SolarWinds infrastructure to deliver a piece of malware named SUNBURST, and in the case of high-value targets a backdoor named Teardrop and a Cobalt Strike payload. An analysis of the malware revealed the existence of a domain that could be leveraged as a killswitch. FireEye, Microsoft and GoDaddy worked together to take control of the domain and disable SUNBURST deployments.

Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank (12.16.20) - After FireEye released IOCs, other cybersecurity firms linked the SolarWinds attack to previously analyzed campaigns. Volexity reported seeing an attack on a U.S. think tank where hackers used a novel method to bypass MFA and gain access to emails.

SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product (12.14.20) - SolarWinds has notified 33,000 customers of its Orion platform about the incident, but the company believes only up to 18,000 were actually impacted. The company said the attackers compromised its build system for Orion products, allowing them to deliver trojanized updates to customers between March and June 2020. The updates enabled the attackers to compromise the servers of organizations that received the malicious comproments.

Useful resources

• SolarWinds advisory (regularly updated)

• FireEye countermeasures

• FireEye analysis and IOC

• Emergency directive from CISA

• CISA's Free Detection Tool for Azure/M365 Environment

• CrowdStrike Reporting Tool for Azure Active Directory - Helps organizations review excessive permissions in their Azure AD environments to help determine configuration weaknesses (free)

• Symantec analysis of the malware used in the attack

• Microsoft analysis of the attack and IOC

• SolarWinds Post-Compromise Hunting with Azure Sentinel

• List of potentially impacted organizations based on DGA analysis

"SunBurst Hunter" (Github) - Provides a Python client into RiskIQ API services. Tool currently provides support for SSL Certificates, SSL Certificates history and Component history

• Responding to the SolarWinds Software Compromise in Industrial Environments (Dragos blog)

SolarWinds_Countermeasures tool from SentinelLabs - Designed to detect processes, services, and drivers that SUNBURST attempts to identify on the victim's machine.

Mandiant Azure AD Investigator - open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452

view counter