Infected SolarWinds Updates Used To Compromise Multiple Organizations: FireEye

Nation-state hackers gained access to government, consulting, technology and telecom firms around the world through trojanized updates to SolarWinds’ Orion network monitoring tool, according to FireEye .

A highly sophisticated attack on SolarWinds’ Orion network monitoring product has allowed nation-state hackers to compromise the networks of public and private organizations, FireEye said.

FireEye has identified multiple organizations where it sees indications of compromise dating back to spring 2020, and is in the process of notifying those organizations, CEO Kevin Mandia wrote in a blog post Sunday.

FireEye said Tuesday that it was also breached in a nation-state attack designed to gain information on some of its government clients but did not say whether it was one of the organizations to have its network compromised by the SolarWinds Orion attack.

SolarWinds confirmed in a security advisory issued late Sunday that it experienced a manual supply chain attack on versions of Orion released between March and June of this year.

“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” Mandia said. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”

[Related: US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach]

The victims have included government, consulting, technology, telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote in a blog posted Sunday. The researchers said they anticipate there are additional victims in other countries and verticals.

SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected to be made available Tuesday.

The company’s managed services tools appear to be uncompromised, as the company said it isn’t aware of any impact to its RMM, N-Central and SolarWinds MSP products.

“Security and trust in our software is the foundation of our commitment to our customers,” SolarWinds said in a security advisory issued late Sunday. “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures and standards designed to protect our customers.”

Attacks conducted as part of this campaign share several common elements, according to Mandia. First, Mandia said the attacks insert malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.

In addition, Mandia said the hackers went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection. Finally, Mandia said the adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools.

FireEye has already updated its products to detect the known altered SolarWinds binaries, Mandia said. The company is also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if potential indicators are spotted, according to Mandia.

Hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, the threat researchers wrote in their blog post. Post compromise activity following the compromise has included lateral movement and data theft, according to the threat researchers.

“This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye’s threat researchers said. “The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”

The malware masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.

The hackers use a variety of techniques to disguise their operations while they move laterally, according to threat researchers. They prefer to maintain a light malware footprint, instead opting for legitimate credentials and remote access to get into a victim’s environment, the threat researchers said.

Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection, FireEye said. The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.

Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access, the threat researchers said. And once legitimate remote access was achieved, FireEye found that the hackers routinely removed their tools, including removing backdoors.

“Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice,” Mandia wrote in his blog post. “We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps.”