SolarWinds Breach Update

If you are an Agile1 customer (thank you) we have taken the necessary steps to ensure you are properly being monitored 24/7. While no platform is guaranteed to stop a motivated and well-funded nation-state from a breach, working with the Agile1 SOC-as-a-Service can identify, detect and alert to anomalous behavior.
 
Background:
By now you have seen information published about Solarwinds’ Orion platform being exploited as part of a coordinated attack to distribute malware referred to as both SUNBURST and Solorigate. As of December 15, 2020, this does not affect SolarWinds N-central or SolarWinds RMM. As early as March of this year, customers of SolarWinds Inc., began unwittingly installing malicious software as part of a routine and seemingly benign update issued for a software product known as Orion, according to the company. That update, which would have been near impossible to identify as a threat, contained a back door that could have granted easy access to nearly 18,000 entities that downloaded it.
The Exploit:
Attackers were able to silently add malicious code to SolarWinds’ software updates for Orion users. These updates were trojanized to contain a backdoor that reaches out to third-party servers (specifically a DLL) — enabling the attacker to gain a foothold in the network through routine or automatic updates. The malicious DLL beacons out to command and control (C2) infrastructure to receive additional commands and payloads. Initial C2 traffic blends into the normal network activity, masquerading as the Orion Improvement Program (OIP) to look like legitimate SolarWinds operations. Additional research by Microsoft indicates that in some instances, attackers were able to gain administrative access and even compromise SAML token signing certificates — allowing the attacker to forge SAML tokens. Forged SAML tokens may potentially give access to any privileged resources that trust that SAML token signing certificate.So this attack was extremely intelligent and malicious and provided a big time challenge for AV and Endpoint Protection to detect. But it all begins at the build process. Agile1 runs our application build process and Code repositories in a localized environment on a select few machines which are constantly monitored with all the latest security protocols and procedures to ensure controlled security by a very limited and select team.As part of our normal activity monitoring, we will continue to watch for suspicious activity that might indicate an attack such as:
  • Rare traffic alerts to a location not seen before
  • DLL file loading and analysis
  • Anomalous use of service accounts
  • Sign-ins for anomalous activity
We will continue to monitor the situation and alert you should any further communications be necessary. If you have questions please reach out to your Agile1 representative.

Written by Tony Pietrocola

Tony Pietrocola is Co-Founder and President of AgileBlue. Tony has over 20 years' experience in managing and growing technology companies in the SaaS, Fintech and cybersecurity spaces.

December 15, 2020

You May Also Like…

Top January 2023 Cyber-Attacks

Top January 2023 Cyber-Attacks

It’s the end of January 2023, and the numbers are in– below is a list of the most malicious cyber-attacks over the last month.    As reported by Kon Briefing, cyber-attacks have affected more than...

read more

Request a Demo

AgileBlue is a software company with an innovative SOC-as-a-Service for 24X7 network monitoring, cloud security, data privacy and compliance.

Our modern SOC-as-a-Service is built on innovative machine learning and autonomous execution. If you would like to discuss our SOC-as-a-Service, Partner Program or schedule a brief demo please give us a little info and we will contact you immediately.