By now you have seen information published about Solarwinds’ Orion platform being exploited as part of a coordinated attack to distribute malware referred to as both SUNBURST and Solorigate. As of December 15, 2020, this does not affect SolarWinds N-central or SolarWinds RMM. As early as March of this year, customers of SolarWinds Inc., began unwittingly installing malicious software as part of a routine and seemingly benign update issued for a software product known as Orion, according to the company. That update, which would have been near impossible to identify as a threat, contained a back door that could have granted easy access to nearly 18,000 entities that downloaded it.
Attackers were able to silently add malicious code to SolarWinds’ software updates for Orion users. These updates were trojanized to contain a backdoor that reaches out to third-party servers (specifically a DLL) — enabling the attacker to gain a foothold in the network through routine or automatic updates. The malicious DLL beacons out to command and control (C2) infrastructure to receive additional commands and payloads. Initial C2 traffic blends into the normal network activity, masquerading as the Orion Improvement Program (OIP) to look like legitimate SolarWinds operations. Additional research by Microsoft indicates that in some instances, attackers were able to gain administrative access and even compromise SAML token signing certificates — allowing the attacker to forge SAML tokens. Forged SAML tokens may potentially give access to any privileged resources that trust that SAML token signing certificate.So this attack was extremely intelligent and malicious and provided a big time challenge for AV and Endpoint Protection to detect. But it all begins at the build process. Agile1 runs our application build process and Code repositories in a localized environment on a select few machines which are constantly monitored with all the latest security protocols and procedures to ensure controlled security by a very limited and select team.As part of our normal activity monitoring, we will continue to watch for suspicious activity that might indicate an attack such as:
- Rare traffic alerts to a location not seen before
- DLL file loading and analysis
- Anomalous use of service accounts
- Sign-ins for anomalous activity