SolarWinds Orion Attack
The SolarWinds supply chain attack
SolarWinds [signed] software containing a planted vulnerability released in March 2020 as a regular (trusted) software patch. The backdoor was not discovered until the FireEye breach became public 9 months later. Learn More »
Common Vulnerabilities and Exposures
Background
SolarWinds was the victim of a complex & targeted supply chain cyber attack, with the primary goal of inserting a malicious backdoor into trusted (signed) software, which could later be exploited in end-customer installations of the SolarWinds Orion platform. As reported by SolarWinds, the earliest visible account of the attacker shows test code inserted in the October, 2019 software release. https://www.solarwinds.com/securityadvisory It’s been claimed the attackers first gained access to SolarWinds infrastructure by exploiting an Authentication Service vulnerability. They were then able to persist and monitor emails & files, to identify the developers they needed to target. Once identified, the targets were infiltrated using Spear Phishing techniques to infect their local compute instances trusted to check-in source code Starting in March, 2020, SolarWinds began distributing infected patches via its website (as regular software patches) to unsuspecting SolarWinds Orion customers. The impacted versions are 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. Once upgraded to the vulnerable version, the initial foothold is obtained to the end customer’s SolarWinds Development Server, and the malware can then target desired endpoints to install the infiltration malware to those systems. Post-installation to the victim, it may download subsequent malware and eventually make connection to the C&C server. On December 8, 2020, FireEye announced it was the victim of a cyber attack, disclosing that some of its advanced “red team” tools had been stolen. Within the following week, they determined the breach was due to the SolarWinds vulnerability.
Threat Radar Overall Score: 3.8
CVSS Rating | 9.0 | |
FortiRecon Score | 90/100 | |
Known Exploited | Yes | |
Exploit Prediction Score | 97.31% | |
FortiGuard Telemetry | 270 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
SolarWinds subsequently released a detailed announcement:
https://www.solarwinds.com/securityadvisory#anchor1
On December 13, 2020, CERT issued Emergency Directive 21-01 regarding this issue:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
AV
-
App Control
-
AV (Pre-filter)
-
IPS
-
Outbreak Detection
-
Threat Hunting
-
Playbook
-
Assisted Response Services
-
Automated Response
-
NOC/SOC Training
-
End-User Training
-
Vulnerability Management
-
Attack Surface Hardening
App Control Block/Detect communication to the attack surface (Orion Platform)
AV (Pre-filter) Blocks trojan payload
IPS Blocks Exploit & lateral movement
Outbreak Detection
Playbook
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks.
End-User Training Raise security awareness to your employees that are continuously being targetted by phishing, drive-by download and other forms of cyberattacks.
Vulnerability Management Auto tagging of vulnerable endpoints, can be used in fabric automation
Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
References
Sources of information in support and relation to this Outbreak and vendor.