This week SolarWinds announced that they were breached earlier this year and the attackers were able to place malicious code within their build systems for their Orion product. This malicious code was subsequently; compiled, tested, signed, and delivered to SolarWinds customers in March 2020. The last week has been very interesting as a supply chain breach of this magnitude has only been theorized and discussed in security tabletop exercises. After the SolarWinds breach announcement we have been working with several Ordr customers and partners in order to facilitate both detection of malicious activity associated with this breach and for some customers facilitate the detection of these SolarWinds devices on the network so that they could be taken down.
Currently, Ordr has the ability to detect the command and control (C2) servers utilized in the Domain Generation Algorithm (DGA) of this SolarWinds malware through our malicious communication detection service. Ordr monitors all device communications within the network and if we see a connection or DNS lookup to one of the malicious domains associated with this malware (*.avsvmcloud.com – as part of the countermeasures by FireEye: https://github.com/fireeye/red_team_tool_countermeasures) we will alert the Ordr SCE operators.
Additionally, we have deployed several detection signatures to our deep packet inspection (DPI) intrusion detection system (IDS) that looks for both the malicious communications associated with this SolarWinds malware and the lateral movement techniques that FireEye and Microsoft discovered when researching the threat actors utilizing the SolarWinds malware.
Of course, since Ordr has the capability to detect and classify all systems on the network we are able to detect any SolarWinds systems that exist at any time on the network.
SolarWinds has provided a hotfix (2020.2 HF 1) and is providing an additional hotfix (2020.2 HF 2) today to all of their customers. We urge all SolarWinds customers to apply these patches to their systems and to aggressively monitor the SolarWinds servers for any anomalies.
Additionally, we are urging anyone that utilizes SolarWinds Orion to change any authentication credentials that were stored inside the Orion system and to consider all authentication credentials compromised if they were stored inside the Orion system within the last 10 months.
Jeff Horne
Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Ordr Jeff was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv Jeff was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX and managing the Information Security, Compliance (ITAR), Security Operations, and Physical Security groups. Previous to SpaceX Jeff was the Vice President of R&D and Chief Architect for Accuvant LABS where he managed teams of researchers and consultants specializing in reverse engineering, malicious code, incident response, breach analysis, and vulnerability assessment. Prior to Accuvant Jeff was the Director of Threat Research at Webroot Software where he led several teams of malware researchers, reverse engineers, and a development organization specializing in creating anti-malware functionality and detection signatures for all Webroot products. Jeff began his career as a Vulnerability Researcher at Internet Security Systems where he was responsible for vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware. Jeff is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.
Follow by Author