SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know

On Dec. 12, 2020, FireEye provided detailed information on a widespread attack campaign involving a backdoored component of the SolarWinds Orion platform, which is used by organizations to monitor and manage IT infrastructure. FireEye has given the campaign an identifier of UNC2452 and is further naming the trojanized version of the SolarWinds Orion component SUNBURST (Microsoft has used the “Solorigate” identifier for the malware and added detection rules to its Defender antivirus). SolarWinds has issued a separate advisory for the incident.

In this blog post, we will focus on answering specific questions organizations may have regarding this situation.

What is Rapid7 doing as a result of the disclosure of the SUNBURST/Solorigate disclosure?

For InsightIDR customers

Rapid7 has deployed detections in InsightIDR for activity related to vulnerable versions of SolarWinds Orion and will continue to add additional IOCs/TTPs as they become available. We recommend that all customers running SolarWinds Orion versions 2019.4 through 2020.2.1 should upgrade to the Orion platform to version 2020.2.1 HF 1 ASAP.

We will also publish queries you can perform in your environment to look for this vulnerability.

For our MDR customers

We are analyzing your agent, DNS, firewall, and other log data that exists in IDR for IOCs/TTPs related to this threat, and specifically the IOCs released by FireEye.

For InsightVM customers

InsightVM customers can use Query Builder to find assets that have SolarWinds Orion installed by creating the following query: “software.description contains ‘Solarwinds Orion’”.

Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for “Software name contains Solarwinds Orion”.

Our researchers are currently evaluating the feasibility of adding a vulnerability check that will report based on affected versions of the software.

For MVM customers

Rapid7 MVM customers will see a report in their InsightVM console “Solarwinds_assets_20201214” to assist organizations in identifying any asset that we can see that contains any software with “Solarwinds” in the name. There is a specific report, “SolarWinds Orion”, that you will see in your console to narrow it down to the “Orion” software.

If my organization uses SolarWinds components but does not use the Orion platform, are we at risk?

Right now, the only known compromised SolarWinds components are one library file, SolarWinds.Orion.Core.BusinessLayer.dll, in the Orion platform. If you are not running a version of Orion that has installed updates between March and June 2020, you are likely not running compromised SolarWinds software. Affected versions are 2019.4 through 2020.2.1 HF1. The specific statements from SolarWinds’ Dec. 14, 2020 8-K filing indicate that:

• Orion products downloaded, implemented, or updated during the Relevant Period contained the vulnerability;
• Orion products downloaded and implemented before the Relevant Period and not updated during the Relevant Period did not contain the vulnerability;
• Orion products downloaded and implemented after the Relevant Period did not contain the vulnerability; and
• Previously affected versions of the Orion products that were updated with a build released after the Relevant Period no longer contained the vulnerability; however, the server on which the affected Orion products ran may have been compromised during the period in which the vulnerability existed.

SolarWinds further estimated a potential of up to 18,000 organizations may have installed the compromised component.

How can my organization detect whether attackers used this backdoor against us?

If you were one of the 18,000 organizations potentially running compromised Orion components, FireEye has provided a number of countermeasures and indicators of compromise that you can deploy in detection (looking at future events) and forensics (going back through firewall/intrusion detection logs, system/network events, and cybersecurity monitoring alerts) contexts.

Be aware that if you are running a backdoored version of this Orion component, your detection and forensics efforts will show beacon activity to the attacker infrastructure. This does not mean you are under active attack. It just means that the command and control components of the backdoor are functional. Now that the attacker campaign has been brought into public awareness, it is very likely that they will rapidly tear down all of the infrastructure they were using and any operations they had in play.

Apart from deploying the provided detections, what else should my organization do if we were running a compromised version of SolarWinds Orion?

The most proactive and cautious response would be to assume all hosts monitored by compromised Orion systems are, themselves, compromised. Restoring operations to a known-good state would involve:

• Resetting all credentials used by or stored in SolarWinds Orion.
• Rebuilding all hosts monitored by SolarWinds Orion from trusted sources (SolarWinds currently expects to release a public hotfix on or prior to Dec. 15, 2020).

Since it appears that the campaign was highly targeted, another, less disruptive approach should start with referring to the guidance from the SolarWinds advisory. Specifically, consider upgrading to the current hotfix (2020.2.1 HF 1) as soon as possible and monitoring communications from SolarWinds for the release of version 2020.2.1 HF 2 hotfix.

Once patched, organizations taking a less disruptive approach should ensure that SolarWinds servers are isolated and consider applying the following actions:

• Restrict the scope of accounts that have local administrator privileges on SolarWinds servers.
• Block internet egress from servers or other endpoints with SolarWinds software.
• Change passwords for accounts that have access to SolarWinds servers/infrastructure.

For either scenario (cautious or less disruptive), if SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications.

Active Directory administrators should also review account creation and deletion activity, since the organization deployed compromised versions of Orion, and pay close attention to anomalous patterns, especially around accounts with privileged/admin access.

Will Rapid7 be providing updates as new information becomes available?

Rapid7 is actively monitoring all SolarWinds and FireEye updates as well as threat intelligence feeds and breaking news reports and will both update the blog and notify customers of significant events as they arise.