SolarWinds Orion Hack

Atlantic.Net is providing this security advisory message as a news item; we want to reassure our customers that Atlantic.Net does not use any SolarWinds products internally or as part of any of our service offerings.

On the 13th December 2020, news broke from the cybersecurity organization FireEye concerning a major security breach at SolarWinds Corporation. SolarWinds is a Texas-based tech giant that has become a dominant player in server monitoring and network management with its Orion line of software products. It serves 300,000 customers globally and is trusted by several high-profile organizations and government institutions.

Cybersecurity experts believe that a sophisticated, possibly Russian, state-sponsored cyberattack breached SolarWinds infrastructure and impacted many of the company’s customers. Experts believe SolarWinds was breached in the Spring of 2020, but the groundwork for the attack may have started much earlier.

Global companies such as VMware, Intel, Microsoft, and Cisco are reportedly impacted by the attack, as well as all five branches of the US military, the national nuclear security administration, the Pentagon, the State Department, and the Office of the President of the United States.

The hack was incredibly sophisticated. Hackers were able to gain access to SolarWinds internal systems and compromise their official Orion software updates with “trojanized” malware updates. This allowed the hackers to disguise compromised updates as legitimate, SolarWinds-approved Orion updates. It is believed that up to 18,000 SolarWinds customers downloaded the malware.  This is, undeniably, a huge, incredible, and quite shocking lapse in security to happen at a company valued at about $5 billion.

FireEye, the cybersecurity company that first identified the breach, said the hack gave the intruders “the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity.”

Once installed by the victims, the hackers used part of the Orion software framework, specifically an HTTP API vulnerability in a file called SolarWinds.Orion.Core.BusinessLayer.dll. The exploit allowed them to execute remote ‘jobs’ on any compromised server and traverse the victim’s network using “god mode” privileges to compromise any connected server and perform data theft.

Symantec and Palo Alto Networks reported that secondary payloads known as Teardrop and Supernova were deployed against “targets of interest.” Teardrop embeds the Cobalt Strike Beacon malware which attempts to steal credentials, hack Active Directory, and perform data theft.

As this news only broke recently, the scale of the impact is not yet fully known, but many businesses are bracing themselves as they investigate the impact of the data breach. As of yet, no one knows exactly what data has been stolen, though the government may have some idea. This might go down as the worst cyberattack in history when the true scope of this breach and its fallout are understood.

What made this attack so insidious was the attack vector used: the SolarWinds supply chain. SolarWinds were not the end target, but they are heavily embedded in and trusted by government entities and high-profile organizations. This type of attack is known as an Advanced Persistent Threat (APT) and the method of attack is nothing more than a trojan horse; specifically, it is known as a Remote Access Trojan (RAT) because it targeted user data and company secrets.

Recommended Actions

SolarWinds has identified the infected Orion updates and published information about them here. Users need to check if updated Orion Platform versions 2019.4 HF5 were installed between March and June 2020. They recommend that all Orion users should update to Orion Platform version 2020.2.1 Hot Fix 2.

Users should check their networks for evidence of being compromised. Scan for two key identifiers: the use of the Teardrop in-memory malware to drop Cobalt Strike Beacon and for your organization’s hostnames. If breached, hostnames can uncover malicious IP addresses used by the attackers.

Atlantic.Net also offers this further advice on cybersecurity best practices: make sure you use some form of a local password manager. If you do not already, use some form of multi-factor authentication, get it installed urgently across your network. There are various options available including paid licensed versions or open source. Never use the same password throughout your organization, enforce a strict password policy, and enforce a complex password strategy.

One theory circulating concerning how the hackers managed the initial compromise posits that they achieved access by using internal usernames and passwords for SolarWinds that were found embedded into public GitHub code repositories.  The “Solarwinds123” password theory may have some merit and, if true, points the finger at entrenched bad security practices inside SolarWinds.

We can’t predict the fallout of this breach, but it is likely to have serious global ramifications. This incident will likely force US organizations to conduct a head-to-toe audit of their network environments. SolarWinds will doubtlessly lose many customers from this high-profile breach and can expect huge regulatory fines. It’s possible they may even be hit with fines for breaching GDPR, as many SolarWinds customers are located within the European Union.

We expect the US administration to revamp cybersecurity protocol in the wake of this attack, especially if it turns out to be a state-sponsored attack by Russia. The US government already has a cybersecurity platform in place that is designed to thwart this kind of attack known as EINSTEIN 3. It would appear this system was completely unaware of this attack.

If your business is concerned about cybersecurity, please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Cloud Hosting, and HIPAA Compliance. Security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place. This cyberattack will go down in history as one of the worst ever, we feel concerned for our friends in the industry that might be affected by this. The clients of SolarWinds have done nothing wrong; they purchased an industry-leading server management suite from a reputable business, and now, due to unknown security incompetence, each customer has been put at risk through no fault of their own. Get in touch today.