US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack
Russia's Cozy Bear fingered, FireEye details injected backdoor and says it's worldwide
Updated SolarWinds' Orion IT monitoring platform has been compromised, and speculation is swirling it was used as a base camp by state-backed hackers to infiltrate major US government organizations.
Kevin Thompson, SolarWinds president and CEO, said his company is "aware of a potential vulnerability" that may have been in "updates which were released between March and June 2020 to our Orion monitoring products."
"We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state," he added. "We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time."
As we report in our update to this story below, FireEye says it found a backdoored .dll file that was uploaded to and available from the downloads section of SolarWinds' site.
If you're a SolarWinds customer, assume compromise and immediately activate your incident response team.
This malicious code, once activated, can be instructed by remote handlers to execute commands, hijack the system, and siphon off data. It's assumed someone nefarious was able to alter SolarWinds' software to include this backdoor, and injected it into the developer's website so that victims would download and install it. FireEye itself said it was earlier hacked by state-level snoops though it is not clear right now if the biz was compromised via a dodgy Orion installation.
The vandalized SolarWinds code is said to have been exploited by miscreants to sneak into networks within the US government bodies, among them the Treasury and the Department of Commerce's telecoms agency NTIA, where Orion is used. The infiltration, first reported by Reuters, is so serious, the National Security Council met to discuss it over the weekend.
The Washington Post also reported that not only were the government hacks made possible via SolarWinds' software, the attack was perpetrated by Russian hacking group APT29, aka Cozy Bear. US government officials have acknowledged the incidents, though have not offered further details.
The Register has asked SolarWinds for more information, though evidence of updates in the relevant time frame is not hard to find: here's a June 2020 patch to the company's remote network monitoring agent for Windows.
This situation is properly scary because a supply chain attack that poisons product updates issued by a major security vendor suggests that Cozy Bear could be deep inside all sorts of systems and vendors. If that doesn't freak you out you, maybe SolarWinds' customer list will:
- More than 425 of the US Fortune 500
- All of the top 10 US telecommunications companies
- All five branches of the US military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All of the top five US accounting firms
While the prospect of Cozy Bear rummaging around inside the aforementioned organisations is scary, security experts aren't panicking.
Security analyst Jake Williams has posted a Twitter thread pointing out that products like Orion are a fine jumping-off point for an attack but points out that many such products are implemented to observe IT infrastructure performance rather than actively change configurations. He therefore urged readers not to assume the attack automatically translates to an ability to control systems.
Former US Cybersecurity and Infrastructure Security Agency head Chris Krebs suggested the attack has likely been under way for months, though it should be possible to contain.
"If you're a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team," he advised. "Odds are you're not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this."
As news breaks about what looks to be a pretty large-scale hack, I have the utmost confidence in the @CISAgov team and other Federal partners. I'm sorry I'm not there with them, but they know how to do this. This thing is still early, I suspect. Let's let the pros work it.— Chris Krebs (@C_C_Krebs) December 13, 2020
Hopefully, Krebs and Williams are correct. But even if they are, the fact remains that two big vendors have been hacked – FireEye as well as SolarWinds – and something appears to have taken a bite out of the US government. And all of these organisations boast of having strong defences against such attacks. ®
Updated 03:50 UTC, Monday 14 December
FireEye has posted an analysis of the injected malicious code, and says it's present in a file called
SolarWinds.Orion.Core.BusinessLayer.dll, which it describes as a "digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers."
FireEye says that once the .dll reaches a machine it remains dormant for up to two weeks, but then comes to life and "retrieves and executes commands, called 'Jobs', that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
"The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers."
FireEye continues: "The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds executable SolarWind.BusinessLayerHost.exe or SolarWindws.BusinessLayerHostx64.exe (depending on system configuration)."
The malware then goes dormant for another fortnight before attempting to resolve a subdomain of avsvmcloud[.]com. "The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications."
FireEye says it has "detected this activity at multiple entities worldwide."
"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."
Long story short, this is a bad one and made worse by the fact that SolarWinds offers infrastructure monitoring but appears not to have been able to keep its own website and APIs clean.
SolarWinds says of its 300,000-plus customers, no more than 18,000 installed the backdoored update, which includes the US government.