Extremely critical vulnerability in your IT asset management system

The National Cyber Security Centre SK-CERT warns of a critical vulnerability in the SolarWinds Orion system, the software for monitoring and managing IT assets.

Therefore, the National Cyber Security Centre SK-CERT recommends to take the following measures immediately:

  • Separate all active SolarWinds Orion services, in any version, from the Internet and internal infrastructure
  • If it is not possible to completely separate the SolarWinds Orion service
  • Restrict connections to devices, especially those that are critical assets
  • Restrict accounts that have administrator privileges in SolarWinds Orion
  • Separate the SolarWinds service as well as devices running this service from the Internet
  • Check whether a compromised version of SolarWinds Orion software from March 2020 to June 2020 has been installed
  • Check whether your software installation contains malicious files listed below in IOC – if so, your systems and services have been compromised
  • If you were running SolarWinds Orion on a virtual server, preserve the memory and disk image by creating a snapshot for later forensic analysis
  • Consider using expert help to create a server image and perform forensic analysis
  • Change the login credentials to new ones of high quality, which connect the SolarWinds Orion system to remote devices for monitoring and management
  • Also change all user passwords and passwords of technical accounts on systems to strong enough and unique ones
  • Check the presence of a malicious code that could have been additionally installed by an attacker on your systems as part of an attack by using the SUNBURST backdoor or anomalous network connections from target systems
  • If some of the administration, user or technical passwords have been used on other systems, change these passwords to strong enough and unique
  • Remember to change passwords in applications installed on affected systems and especially at services that are accessible from the Internet
  • If the affected systems had login data to external services outside your organization, change also those passwords to strong and unique ones
  • Check all affected systems for presence of unknown accounts
  • Where allowed by system, use two-factor authentication to log in
  • Identify all SolarWinds Orion network communications and verify their legitimacy. Focus on outgoing Internet connections too.
  • Check communication to malicious URL addresses and C2 server on your perimeter devices (firewall, IDS, IPS)
  • On perimeter devices (firewall, IDS, IPS) block communication to malicious URL and C2 addresses from IOC below
  • Update your systems and services with the latest update packages
  • After proper incident investigation and taking all steps to mitigate and resolve the vulnerability, apply the SolarWinds Orion update. If possible, apply a new version of the software as a clean installation to a newly installed operating system
  • If a cybersecurity incident caused by this vulnerability is detected, report it to the National Cyber Security Centre SK-CERT at https://www.sk-cert.sk/en/tips-and-tricks/report-an-incident/index.html
  • If you run SolarWings Orion software, inform us at incident@nbu.gov.sk, so that we can help you with the investigation

On 14 December 2020, SolarWinds published on its website[1] a report that the company experienced a highly sophisticated and advanced supply chain attack[2] that affected all software releases from March 2020 to June 2020. The company received information that it was to be a state-sponsored attack conducted by an outside nation state and intended to be an extremely targeted and manually executed attack.

On 13 December 2020, FireEye[3] published an analytical report on the discovery of a global campaign targeting SolarWinds Orion through a supply chain attack. According to the company, the attackers gained access to numerous private companies as well as public organizations around the world. The campaign may have begun as early as spring 2020 and is currently ongoing.

The principle of the attack is a backdoor called SUNBURST, which is located in the SolarWinds.Orion.Core.BusinessLayer.dll library. The component communicates via HTTP with third parties. The backdoor was distributed through legitimate software updates. The attackers used digitally signed libraries to avoid detection.

The presence of a backdoor in the system results in a complete breach of the confidentiality, integrity and availability of not only the SolarWinds Orion software, but also other systems and services in the organization. Through a backdoor, an attacker can access login names and passwords to systems and services, including access to highly privileged accounts.

On 14 December 2020, the US CISA issued[4] Directive that calls on all federal agencies to review SolarWinds Orion systems for the presence of IOC (indicators of compromise) and to disconnect or power down these systems.

IOC

As part of the campaign analysis, the following IOC were also published, and are used to identify malicious files and malicious communication:

 

FILES

SolarWinds.Orion.Core.BusinessLayer.dll 

OrionImprovementBusinessLayer.2.cs

app_web_logoimagehandler.ashx.b6031896.dll

C:\WINDOWS\SysWOW64\netsetupsvc.dll

 

C2 (CONTROL) SERVER

avsvmcloud[.]com

 

HASH

b91ce2fa41029f6955bff20079468448

02af7cec58b9a5da1c542b5a32151ba1

2c4a910a1299cdae2a4e55988a2f102e

846e27a652a5e1bfbd0ddd38a16dc865

4f2eb62fa529c0283b28d05ddd311fae

56ceb6d0011d87b6e4d7023d7ef85676

 

URL

appsync-api.eu-west-1[.]avsvmcloud[.]com

appsync-api.us-west-2[.]avsvmcloud[.]com

appsync-api.us-east-1[.]avsvmcloud[.]com

appsync-api.us-east-2[.]avsvmcloud[.]com

deftsecurity[.]com

freescanonline[.]com 

thedoccloud[.]com

websitetheme[.]com

highdatabase[.]com

incomeupdate[.]com

databasegalore[.]com

panhardware[.]com

zupertech[.]com

A complete list of available IOC can be found at: https://github.com/fireeye/sunburst_countermeasures

Sources

[1] https://www.solarwinds.com/securityadvisory

[2] An attack targeting directly a supplier when the attacker implements a malicious code to a legitimate software version

[3] https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[4] https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network

https://github.com/fireeye/sunburst_countermeasures    

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/


« Späť na zoznam