• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

SolarWinds Orion Attack

Released: Dec 15, 2020

Download PDF »

Solarwinds

Critical Severity

SolarWinds Vendor

Attack Type

The SolarWinds supply chain attack

SolarWinds [signed] software containing a planted vulnerability released in March 2020 as a regular (trusted) software patch. The backdoor was not discovered until the FireEye breach became public 9 months later. Learn More »

Common Vulnerabilities and Exposures

CVE-2020-10148

Background

SolarWinds was the victim of a complex & targeted supply chain cyber attack, with the primary goal of inserting a malicious backdoor into trusted (signed) software, which could later be exploited in end-customer installations of the SolarWinds Orion platform. As reported by SolarWinds, the earliest visible account of the attacker shows test code inserted in the October, 2019 software release. https://www.solarwinds.com/securityadvisory It’s been claimed the attackers first gained access to SolarWinds infrastructure by exploiting an Authentication Service vulnerability. They were then able to persist and monitor emails & files, to identify the developers they needed to target. Once identified, the targets were infiltrated using Spear Phishing techniques to infect their local compute instances trusted to check-in source code Starting in March, 2020, SolarWinds began distributing infected patches via its website (as regular software patches) to unsuspecting SolarWinds Orion customers. The impacted versions are 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. Once upgraded to the vulnerable version, the initial foothold is obtained to the end customer’s SolarWinds Development Server, and the malware can then target desired endpoints to install the infiltration malware to those systems. Post-installation to the victim, it may download subsequent malware and eventually make connection to the C&C server. On December 8, 2020, FireEye announced it was the victim of a cyber attack, disclosing that some of its advanced “red team” tools had been stolen. Within the following week, they determined the breach was due to the SolarWinds vulnerability.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 90/100
Known Exploited Yes
Exploit Prediction Score 97.31%
FortiGuard Telemetry 270

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


SolarWinds subsequently released a detailed announcement:
https://www.solarwinds.com/securityadvisory#anchor1


On December 13, 2020, CERT issued Emergency Directive 21-01 regarding this issue:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • App Control

  • AV (Pre-filter)

  • IPS

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Vulnerability Management

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
ajmerakankhul.com domain Active
3hgo5joyu9.top domain Active
nqxipkvgtqfli.mx domain Active
qyswkyjw.to domain Active
139.99.115.204 ip Active
begqtiwpyumv.mu domain Inactive
lcwxgthjsbnps.ir domain Active
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742df... file Active
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce... file Active
znsbncjqx.net domain Inactive
crsffzi.cn domain Inactive
dae02f32a21e03ce65412f6e56942daa file Active
8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2... file Active
pqnsczsd.info domain Active
ewkwplkfbaz.info domain Inactive
jmyicswybd.cn domain Inactive
gikvjejrkc.cn domain Inactive
avsvmcloud.com domain Active
019085a76ba7126fff22770d71bd901c325fc68ac55aa74... file Active
02af7cec58b9a5da1c542b5a32151ba1 file Active
1b476f58ca366b54f34d714ffce3fd73cc30db1a file Active
292327e5c94afa352cc5a02ca273df543f2020d0e76368f... file Active
2c4a910a1299cdae2a4e55988a2f102e file Active
2f1a5a7411d015d01aaee4535835400191645023 file Active
32519b85c0b422e4656de6e6c41878e95fd95026267daab... file Active
4f2eb62fa529c0283b28d05ddd311fae file Active
56ceb6d0011d87b6e4d7023d7ef85676 file Active
75af292f34789a1c782ea36c7127bf6106f595e8 file Active
76640508b1e7759e548771a5359eaed353bf1eec file Active
846e27a652a5e1bfbd0ddd38a16dc865 file Active
b91ce2fa41029f6955bff20079468448 file Active
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c7... file Active
c2c30b3a287d82f88753c85cfb11ec9eb1466bad file Active
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3... file Active
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4... file Active
d130bd75645c2433f88ac03e73395fba172ef676 file Active
13.59.205.66 ip Active
167.114.213.199 ip Active
204.188.205.176 ip Active
34.203.203.23 ip Active
5.252.177.21 ip Active
5.252.177.25 ip Active
51.89.125.18 ip Active
54.193.127.66 ip Active
54.215.192.52 ip Active
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsv... domain Active
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsv... domain Active
databasegalore.com domain Active
deftsecurity.com domain Active
freescanonline.com domain Active
gq1h856599gqh538acqn.appsync-api.us-west-2.avsv... domain Active
highdatabase.com domain Active
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsv... domain Active
incomeupdate.com domain Active
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsv... domain Active
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsv... domain Active
panhardware.com domain Active
thedoccloud.com domain Active
websitetheme.com domain Active
zupertech.com domain Active
appsync-api.eu-west-1.avsvmcloud.com domain Active
appsync-api.us-east-1.avsvmcloud.com domain Active
appsync-api.us-east-2.avsvmcloud.com domain Active
appsync-api.us-west-2.avsvmcloud.com domain Active
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa7... file Active
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89... file Active
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07... file Active
c09040d35630d75dfef0f804f320f8b3d16a48107107691... file Active
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d6... file Active
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e6... file Active
d3c6785e18fba3749fb785bc313cf8346182f532c59172b... file Active
virtualdataserver.com domain Active
digitalcollege.org domain Active
globalnetworkissues.com domain Active
seobundlekit.com domain Active
virtualwebdata.com domain Active
http://downloads.solarwinds.com/solarwinds/Cata... url Active
1acf3108bf1e376c8848fbb25dc87424f2c2a39c file Active
6fdd82b7ca1c1f0ec67c05b36d14c9517065353b file Active
e257236206e99f5a5c62035c9c59c57206728b28 file Active
bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387 file Active
13.57.184.217 ip Active
18.217.225.111 ip Active
18.220.219.143 ip Active
184.72.1.3 ip Active
184.72.101.22 ip Active
184.72.113.55 ip Active
184.72.145.34 ip Active
184.72.209.33 ip Active
184.72.21.54 ip Active
184.72.212.52 ip Active
184.72.224.3 ip Active
184.72.229.1 ip Active
184.72.240.3 ip Active
184.72.245.1 ip Active
184.72.48.22 ip Active
20.141.48.154 ip Active
3.16.81.254 ip Active
3.87.182.149 ip Active
34.219.234.134 ip Active