This article follows our previous article on the Solarwinds cyber incident.

What happened?

Solarwinds and the wider infosec community have recently become aware of a critical vulnerability in a Solarwinds software program. Details about the incident are rapidly evolving, however preliminary investigations reveal a sophisticated state sponsored threat actor group likely inserted the vulnerability (malicious code) into legitimate software to gain access to target organisations' systems.

Who is Solarwinds?

Solarwinds is a managed services provider which provides software products to private and Government organisations globally.

Among other programs, Solarwinds provides a software product referred to as Orion. Orion allows IT teams to centralise the monitoring of devices on an internal network, to ensure that devices are connecting to the network correctly and do not exhibit signs of suspicious activity. Orion also allows organisations to roll out updates to devices uniformly.

What do we know so far?

A threat actor group installed malicious code in a legitimate update to Solarwinds’ Orion software.

The malicious code gave the threat actor group remote access to networks of organisations which installed an update to the Orion program between March and June 2020 (effectively, a “back door” into a network). The malware is designed to hide its activity as legitimate network traffic.

After lying dormant for a period of approximately 2 weeks, the malicious code executes commands which are capable of transferring files, starting programs, profiling an organisation’s system, disabling system services and rebooting machines.

Immediate steps to take in response to the breach

While the scope of the compromise is not yet known, organisations which use Solarwinds' software products, specifically the Orion software product, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 should:

IT teams should also check their Document Link Libraries (DLLs) for the Solarwinds Orion product to check if it matches any of the file hashes listed here: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv.

Organisations which suspect they have been compromised as part of the incident also need to consider the residual privacy implications of the Orion compromise – i.e. you will need to conduct an assessment into whether the incident amounts to an 'eligible data breach' under the Privacy Act in Australia, and other data protection laws around the world if applicable.

Affected organisations and Government agencies should continue to monitor the advisories for further details on how to respond.

Where do you go for more information?

We commend the ACSC, DPC VIC and wider infosec community for leading the national/whole of Government response to this incident and for providing real time updates on the impact to Government agencies and the private sector.

The following sources provide additional information which may help you identify indicators of compromise in your environment:

  • the ACSC will provide relevant updates on its Orion compromise threat page, here: https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-solarwinds-orion-compromise;
  • Solarwinds has released its recommendations on steps organisations should take to patch the vulnerability in the Orion software program. Organisations should check if they were or have been using one of the listed affected products, as recommended above. This article also lists Solarwinds products which are known not to be affected at this stage;
  • the United States' Cybersecurity and Infrastructure Security Agency (CISA) has released a directive with mitigation steps for impacted organisations, here: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance (Emergency Directive 21-01);
  • CISA has released an alert for the Solarwinds incident, which lists affected Solarwinds products, technical details (as known) of the incident, including tactics being used by the threat actor group to gain access to systems and avoid detection by incident response teams, and advice for detecting signs of compromise, here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a;
  • FireEye is releasing signatures to detect threat actor activity on its Github page, here: https://github.com/fireeye/sunburst_countermeasures; and
  • the Victorian Department of Prime Minister and Cabinet may also provide information on the compromise.