The National Computer Emergency Response Team (CERT-PH) monitored a large-scale cyber-attack against government and non-government organizations involving the SolarWinds Orion network management tool, which is currently being exploited by threat actors worldwide. These highly skilled Nation-State Threat actors are weaponizing the SolarWinds Orion’s legitimate software update in order to distribute a malware called SUNBURST and is attacking multiple government, technology, telecom and other critical infrastructure companies in North America, Europe, Asia and the Middle East.
A high risk is posed to organizations and businesses that updated their SolarWinds Orion platform from March 2020 through June 2020. In response, SolarWinds has released a hot fix patch to mitigate the said vulnerability and asked their customers with the versions Orion Platform v2020.2 with no hot fix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 and Orion Platform v2019.4 HF 5 to upgrade to Orion Platform version 2019.4 HF 6 as soon as possible to ensure the security of their environment. According to Solarwinds, there is no other version of Orion Platform products known to be impacted by this security vulnerability and other non-Orion products are also not known to be impacted by this security vulnerability.
An additional hotfix release, 2020.2.1 HF 2 was made available last December 15, 2020. Solarwinds recommend that all customers to update as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security.
Hotfix patch is currently available at Solarwinds Customer portal: customerportal.solarwinds.com
___________________
A. Nature of the Attack
What are the versions affected by this attack?
- Orion Platform v2020.2 with no hot fix or 2020.2 HF 1
- Orion Platform v2019.4 HF 5
What are the affected products by this attack?
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
Description of the attack:
- The attackers appended a malicious code dubbed by researchers Sunburst to SolarWinds Orion platform software component named SolarWinds.Orion.Core.BusinessLayer.dll in order to create a backdoor that allows the attackers to deploy additional payloads. The infected DLL file is present in versions 2019.4 HF 5 through 2020.2.1.
___________________
B. Actions to be Taken
Mitigation Steps:
- You may check your network if there are any connections made with the IOC signatures listed below (Please see Part C for reference)
- Disconnect and/or isolate any affected SolarWinds Orion products from your organization’s network
- Block all external traffic from unknown hosts to and from the enterprise where SolarWinds Orion software was installed.
- Investigate, identify and remove threat actor accounts which may remain in the system.
- Stay vigilant regarding SolarWinds.Orion.Core.BusinessLayer.dll with the hash of
- [b91ce2fa41029f6955bff20079468448] and C:\WINDOWS\SysWOW64\netsetupsvc[.]dll, and report accordingly if such are located.
- In addition to patching, we recommend taking additional measures, including:
- changing passwords of all accounts accessible to Orion servers
- analyzing all configuration for network devices managed by the Orion platform for alteration.
Organizations should consider the impacts and applicability of the above steps on their specific network operations prior to implementing these mitigations.
____________________
C. List of Indicators of Compromise (IOC)
| Item Type | Indicator Type | Indicator Value |
| Malware | MD5 | 02af7cec58b9a5da1c542b5a32151ba1 |
| Malware | MD5 | 08e35543d6110ed11fdf558bb093d401 |
| Malware | MD5 | 2c4a910a1299cdae2a4e55988a2f102e |
| Malware | MD5 | 846e27a652a5e1bfbd0ddd38a16dc865 |
| Malware | MD5 | b91ce2fa41029f6955bff20079468448 |
| Malware | MD5 | 4f2eb62fa529c0283b28d05ddd311fae |
| Malware | MD5 | 56ceb6d0011d87b6e4d7023d7ef85676 |
| Malware | SHA-1 | 1b476f58ca366b54f34d714ffce3fd73cc30db1a |
| Malware | SHA-1 | 47d92d49e6f7f296260da1af355f941eb25360c4 |
| Malware | SHA-1 | 2f1a5a7411d015d01aaee4535835400191645023 |
| Malware | SHA-1 | d130bd75645c2433f88ac03e73395fba172ef676 |
| Malware | SHA-1 | 76640508b1e7759e548771a5359eaed353bf1eec |
| Malware | SHA-1 | c2c30b3a287d82f88753c85cfb11ec9eb1466bad |
| Malware | SHA-1 | 75af292f34789a1c782ea36c7127bf6106f595e8 |
| Malware | SHA-256 | dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b |
| Malware | SHA-256 | eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed |
| Malware | SHA-256 | c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 |
| Malware | SHA-256 | ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c |
| Malware | SHA-256 | a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc |
| Malware | SHA-256 | d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af |
| Malware | SHA-256 | d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 |
| Malware | SHA-256 | 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 |
| Malware | SHA-256 | 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 |
| Malware | SHA-256 | ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 |
| Malware | SHA-256 | 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 |
| Malware | SHA-256 | 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 |
| Malware | SHA-256 | c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 |
| Malware | IP Address | 13.59.205.66 |
| Malware | IP Address | 54.193.127.66 |
| Malware | IP Address | 54.215.192.52 |
| Malware | IP Address | 34.203.203.23 |
| Malware | IP Address | 139.99.115.204 |
| Malware | IP Address | 5.252.177.25 |
| Malware | IP Address | 5.252.177.21 |
| Malware | IP Address | 204.188.205.176 |
| Malware | IP Address | 51.89.125.18 |
| Malware | IP Address | 167.114.213.199 |
| Malware | Domain | avsvmcloud.com |
| Malware | Domain | deftsecurity.com |
| Malware | Domain | freescanonline.com |
| Malware | Domain | thedoccloud.com |
| Malware | Domain | websitetheme.com |
| Malware | Domain | highdatabase.com |
| Malware | Domain | incomeupdate.com |
| Malware | Domain | databasegalore.com |
| Malware | Domain | panhardware.com |
| Malware | Domain | zupertech.com |
| Malware | URL | 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com |
| Malware | URL | 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com |
| Malware | URL | gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com |
| Malware | URL | ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com |
| Malware | URL | k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com |
| Malware | URL | mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com |
_____________________
D. Conclusion
In conclusion, organizations and businesses, both private and public, that use SolarWinds Orion Platforms must update their versions of the Orion product and perform additional measures to secure their assets. In addition, it is highly recommended to implement relevant IOCs, YARA and Snort rules within the organizational security systems.