Tenable releases plugins to detect Orion versions with APT

Question

As you’re likely aware, The Cybersecurity and Infrastructure Security Agency has issued an Emergency Directive for all Federal Civilian Executive Branch agencies regarding attacks linked to SolarWinds
 Orion Platform software builds for versions 2019.4 through 2020.2.1.

Tenable has a detection plugin (62117) for all SolarWinds Orion assets, as well as a version check plugin (144198) to identify the versions specifically impacted by this backdoor.

While information and specific mitigations recommendations are still being released, Tenable is committed to keeping customers as informed as possible. We will be updating our Tenable blog post as additional information on this attack and Tenable plugins to identify vulnerable versions of the SolarWinds Orion Platform are available.

Bill

ecklerwr1 · Answer

SolarWinds Orion Platform 2019.4 HF 5 < 2020.2.1 HF 2 SUNBURST Malware Backdoor HIGH Nessus Plugin ID 144198

SynopsisAn application running on the remote host is affected by a malware backdoor.
DescriptionThe version of SolarWinds Orion Platform running on the remote host is 2019.4 HF 5 or later but prior to 2020.2.1 HF 2.
It is, therefore, affected by a malware backdoor known as SUNBURST. The file SolarWinds.Orion.Core.BusinessLayer.dll that is included in these versions is known to contain a backdoor that communicates to third party servers and could allow a remote attacker complete control over the host via obfuscated, benign looking network traffic.

The United States Department of Homeland Security has issued Emergency Directive 21-01 that specifies SolarWinds Orion products up to and including 2020.2.1 HF 1 are currently being exploited by malicious actors.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to SolarWinds Orion Platform 2020.2.1 HF 2 or later.
See Alsohttp://www.nessus.org/u?85b4fa56

https://www.solarwinds.com/securityadvisory

https://cyber.dhs.gov/ed/21-01/

http://www.nessus.org/u?0ff24ea2

http://www.nessus.org/u?901aa5a2

Helpful if you're not sure what's out there on your network.  This plugin checks the version numbers for you.

Bill