Update: December 15 - 2020, 16:10 CET
SolarWinds has issued a security report about their Orion product.
What is going on?
SolarWinds has suffered from a manual supply chain attack. This means that someone has been able to build a 'backdoor' into SolarWinds Orion's software at SolarWinds. This backdoor would be in SolarWinds.Orion.Core.BusinessLayer.dll
Through this backdoor, hackers are very specifically able to have the SolarWinds server install malware via the software update mechanism. Hackers are reported to have to perform a manual action before their attack. So not everyone is infected by definition. It seems that the hackers very directly try to attack certain organizations. The infected DLL would contact the domain avsvmcloud.com to install the malware.
This issue occurs in the following Orion Platform versions:
- 2019.4 HF 5
- 2020.2 without HotFix (HF)
- 2020.2 HF 1
This affects ALL Orion modules.
What can you do?
If you are currently using one of the above software versions, your system will now contain the 'backdoor'. Since this attack appears to be highly targeted, the chances of being infected with malware are slim. In addition, the Orion server for malware installation requires an internet connection.
To solve this problem (the backdoor) as soon as possible, you can upgrade to an Orion Platform version that does not have this problem today:
For version 2019.4 HF5: upgrade to2019.4 HF 6 (or of course 2020.2.1 HF1)
For version 2020.2 (no HF) or 2020.2 HF 1: upgrade to 2020.2.1 HF 1
These versions can be downloaded from the SolarWinds customer portal today:
https://www.solarwinds.com - select customer portal at the top of the page, go to your downloads and download the hotfix installer.
However, this version does not seem to close the gap completely. SolarWinds has promised to release Orion Platform version 2020.2.1 HF 2 on December 15, in which it has been fully resolved and additional security enhancements applied. Nevertheless, SolarWinds advises to install the mentioned versions immediately.
How do you know if your system is infected?
Of course you also want to know if your system is infected. We have found the following simple solutions for this:
1. Microsoft has released a patch for Windows Defender that recognizes the malware that can be installed via the backdoor. To do this, start Windows Defender, update the definition files and do a 'full scan' of your SolarWinds Orion server (s). Microsoft calls this malware 'Solorigate'.
2. The security firm FireEye calls the malware 'SunBurst' and points to a 'signature' that they make available for free via Github with which the malware can be detected: https://github.com/fireeye/sunburst_countermeasures
This signature would work with the following open-source tools:
- Snort (https://www.snort.org)
- Yara (https://virustotal.github.io/yara/)
- ClamAV (https://www.clamav.net)
If you have more than one Orion system (for example because you are using additional pollers on separate servers), it is wise to check all servers.
Do you require our help? Of course we are available for you:
