In a major update to the recent FireEye security incident, it has now been revealed that a sophisticated and long-lasting supply chain attack against technology vendor SolarWinds was responsible for the breach.

Why Is This Big News?

What’s significant about this revelation is that any organisation, not just FireEye, that uses SolarWinds need to act quickly to rid their servers of malicious code. Over 18,000 SolarWinds customers have been confirmed to be affected already, with United States Homeland Security departments and other high-profile organisations at the top of that list.

The immediate takeaways:

  • SolarWinds Orion servers need to be updated to recommended versions.
  • Servers are recommended to be rebuilt and audited for malicious use indicators.
  • FireEye Sunburst IOC rules (as a minimum those labelled ‘production’) need to be deployed within estates using NIDS and EDPR/AV where possible.

What is a Supply-Chain Attack?

A supply-chain attack differs from standard delivery of malicious payloads. Instead of attacking the target directly, threat actors slip their own files into installers or update packages, by compromising software distribution servers, to deliver their malicious payloads to users.

This type of attack plays on the end user’s trust in the vendor to bypass several layers of security within an estate, with software downloaded from a trusted source likely to be excluded from security audits, software, and controls.

For example, your organisation is not likely to invest time in auditing Microsoft Word. If an office installer straight from Microsoft were caught by security controls, you would likely ignore and release it.

Figure 1 Simplified depiction of how a supply-chain attack leads to customer compromise

Figure 1 Simplified depiction of how a supply-chain attack leads to customer compromise

SolarWinds Announcement

As of the 13th December, we now know that a sophisticated and well-equipped threat actor, codenamed UNC2452 or “Dark Halo” by some threat feeds, were able to distribute their malicious backdoor dubbed “SUNBURST” through SolarWinds download servers for some time. These backdoors were digitally signed by SolarWinds legitimate certificate and included in components of SolarWinds Orion software packages.

Other attacking tools seen used in association during the breach were TearDrop, and CobaltStrike, tools used for penetration testing, dropping malicious payloads into memory, and pivoting within estates.

Security Patches

SolarWinds released an advisory explaining that their Orion software builds for versions “2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1” were compromised and contain malicious payloads. SolarWinds also gave details for updates to be applied to remove the malicious content.

Version List and Updates Required

Version AffectedMitigation
Orion Platform v2020.2 with no hotfixUpdate to 2020.2.1 HF 1
Orion Platform 2020.2 HF 1Update to 2020.2.1 HF 1
Orion Platform v2019.4 HF 5Update to 2019.4 HF 6

These updates can be retrieved through

Although FireEye has stated that gaining remote access to an estate via the malicious backdoor takes the actor time and energy, any effected server of these versions has had the potential to be further compromised by the threat group over recent months.

Failing a complete server rebuild, companies should at very least carry out an audit for malicious mechanisms of persistence on their SolarWinds servers and within their estate.

Countermeasures to Help Manage/Prevent These Attacks

1. Network Intrusion Detection Systems (NIDS)

In order to leverage the malicious code within the affected versions of Orion, attackers need to establish a point of ingress into company estates. This is achieved via network communication to the SolarWinds backdoor.

Utilising a combination of network baselining, intrusion detection, and FireEye’s publicly released SunBurst countermeasure rules, NIDS can be used to detect unexpected actors connecting into the estate, through ingress points established through either compromised SolarWinds builds or other persistence mechanisms.

A further source of enrichment for NIDS solutions in the fight against SunBurst attacks is Alienvault OTX feeds, in this case, AlienVault’s live updated threat feed of indicators relating to SunBurst, TearDrop and CobaltStrike.

2. Endpoint Detect Protect Respond (EDPR)

EDPR agents can combine deep file inspection, in memory behavioral analysis and FireEye’s SunBurst YARA Rules and IOC Lists to detect the processes and files associated with the SolarWinds Orion backdoor.

EDPR is also effective against CobaltStrike beacon, a red team tool known to be dropped into memory by “TEARDROP”, included within the SunBurst IOC breakdown.

3. Privilege Access Management (PAM)

FireEye has named CobaltStrike as a tool dropped during SunBurst attacks, a red team tool commonly used by hackers to pivot through estates and elevate their level of access and control over company devices and services.

CobaltStrike depends heavily on the theft, manipulation, and utilisation of windows credentials, to pivot through an estate, impersonating users and gaining higher privileges over target devices.

For this reason, it is essential to lock down not only the use of domain credentials within an estate but also the privileges that they allow attackers to exploit. This can be achieved using Privileged Access Management solutions, which combine session management, just-in-time credential brokerage, and user auditing to cripple the speed and potential of attackers attempting to pivot within an estate.