Malicious code inserted by alleged Russian hackers led to attacks on U.S. government agencies
SolarWinds said this week that no other versions of its Orion platform or any other software products from the company appear to have the Sunburst malware that’s suspected to have led to wide-ranging compromises of a number of U.S. government agencies and cybersecurity vendor FireEye.
The Lowdown: Among the government offices attacked by suspected Russian hackers are the State Department; Department of Homeland Security (DHS); Treasury; Cybersecurity and Infrastructure Agency (CISA); Commerce; and the National Institutes of Health (NIH).
The Details: FireEye threat researchers reported over the weekend that hackers suspected to be attached to a nation-state – the cybersecurity firm did not identify a country, though government sources have told news outlets that it was likely Russia – slipped the Sunburst malware inside updates to versions of Orion, a platform used for monitoring networks.
SolarWinds, based in Austin, Texas, said that an internal audit found no trace of the malicious code in other versions of Orion or other software products, including remoting monitoring and management (RMM) and N-Central.
The malware, inserted in the 2019.4 through 2020.21 versions of the Orion software released between March and June, could enable an attack to compromise a server running the software.
In an update to its earlier security advisory, SolarWinds said Dec. 15 that the affected versions of Orion are no longer available and recommended Orion users take the following steps:
> Upgrade from Orion Platform v2020.2 with no hotfix or 2020.2 HF1 to version 2020.2.1 HF 2.
> Update versions of Orion Platform v2019.4 HF 5 to 2019.4 HF 6.
> Update to hotfix release 2020.2.1 HF 2. The new release replaces the compromised component and delivers additional security enhancements.
All updates are available via the SolarWinds Customer Portal here.
Those organizations that can’t upgrade immediately should follow guidelines found here, including having the Orion Platform installed behind firewalls and disabling Internet access for the platform.
The Impact: In a filing with the Securities and Exchange Commission, SolarWinds said that fewer than 18,000 of the 33,000 organizations using Orion software had installed the update that included the malware. In all, SolarWinds has more than 300,000 customers.
In a related move, Microsoft this week reportedly took control of a domain name that SolarWinds hackers had used to communicate with compromised systems, which should give the software and cloud giant more clues to the breadth of the sophisticated cyberattack.
Background: The hack comes as Pulse Secure CEO Sudhakar Ramakrishna prepares to take over as SolarWinds’ CEO next month and as the company continues to evaluate spinning off its MSP business.
The Buzz: “Based on our investigation, we are not aware that this vulnerability affects other versions – including future versions – of Orion Platform products,” SolarWinds said in the security update. “We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our other products or agents contain those markers.”