{"id":4091,"date":"2020-12-21T16:27:14","date_gmt":"2020-12-21T23:27:14","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=4091"},"modified":"2020-12-21T16:27:14","modified_gmt":"2020-12-21T23:27:14","slug":"solarwinds-supply-chain-attack-leads-to-large-scale-exploitation","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/blog\/solarwinds-supply-chain-attack-leads-to-large-scale-exploitation\/","title":{"rendered":"SolarWinds Supply Chain Attack Leads To Large-scale Exploitation"},"content":{"rendered":"

Last week our industry exploded with a staggering amount of data on the Solarwinds Orion monitoring software which compromised with a backdoor between May and June of 2020. We\u2019d like to provide a little background and some distilled information for our readers.<\/span><\/p>\n

About SolarWinds and SunBurst<\/b><\/p>\n

SolarWinds Orion Network Management Solution (NMS) has come under scrutiny as being the initial vector of attack for APT29\/Cozy Bear, with specific compromises discovered in several US government agencies and one public sector cybersecurity company, FireEye.\u00a0 While much of the information is not yet clear about whether or not these were attacks against specific targets, it is possible to surmise that approximately 18,000 to 33,000 possible SolarWinds customers could be affected.<\/span><\/p>\n

SunBurst is the name given to the backdoor inserted to the core functionality of the SolarWinds Orion NMS code management system. This probable compromise of the internal build or distribution system subsequently downloaded the backdoor to platform customers via automatic updates.\u00a0 SunBurst is a Command and Control (C2) method, allowing full control of the SolarWinds Orion platform and underlying operating system.\u00a0 This is of particular concern as often NMS installations have ties to monitor and configure a wide range of other technology components within an organization, including Windows Active Directory, credential management, network configuration, firewall management, and network intrusion detection. This could allow an attacker to modify any of these systems, cover their tracks, and evade detection across all of the platforms managed by the NMS.<\/span><\/p>\n

 <\/p>\n

Ongoing discovery<\/b><\/p>\n

The compromise of the SolarWinds infrastructure is leading to a very complex discovery and incident response process.\u00a0 As time goes on, more and more pieces of the puzzle unfold: the complexity of all of the affected enterprises, and to what extent they are affected.\u00a0 Some are estimating that it may be years before we understand the full extent of the compromise and have a full recovery.\u00a0 In addition to the recommendations, we should continue following the unfolding story, while tempering what we hear and read: We have already seen some incomplete information, as well as patently wrong or misleading declarations.\u00a0 See the Recommendation section for some reputable sources.<\/span><\/p>\n

Some of the more recent discoveries include the decoding of the apparently random hostnames within DNS, indicating 346 unique hostnames for the identified C2 domain. With some analysis of the SunBurst malware code and the Domain Generation Algorithm (DGA), researchers were able to determine that the seemingly random data was indicative of system and domain names of affected organizations.<\/span><\/p>\n

We are also hearing reports of secondary fallout from other companies being compromised outside of the US government, including various state and county government assets as well as those in private industry.\u00a0 At this time Microsoft and Cisco are commenting publicly.<\/span><\/p>\n

Recommendations<\/b><\/p>\n

Specifically, SolarWinds customers should perform the following steps:<\/span><\/p>\n