I'm kind of astounded that no official message - even just of acknowledgement - has been sent by Solarwinds to customers. Also, what rumors are you referring to? I haven't even seen an official list of affected products/versions. The article seems to indicate that something was piggybacked on update requests during a certain timeframe. Without more info, it's hard to do anything more refined than shut down the platform or remove all write privilege to service accounts.
Just logged a ticket with support. They indicate patches for 2019 and 2020 are coming 12/14 and 12/15 respectively. No other remediation steps available other than getting an updated .dll file from the Developers early. The updated .dll will be in the forthcoming patches.
Yup I only just heard about this as well. I saw this on the internet
"A SolarWinds spokesman said the company was aware of a potential vulnerability related to updates of its Orion technology management software that were released between March and June of this year."
I'm still on 2019.4 so ok but was looking at upgrading this week. Guess I'll be holding off for now.
Per Support:
Called Solarwinds support and the staff member answering the Tech Support line pretty much what is said here - two versions of the Orion Platform are impacted by the hack - 2019.4 and 2020.2. Earlier versions are not impacted. They also stated fixes are due out very soon - believe it was two or three at most.
Anyone know where Solarwinds puts security advisories? It's not under Recent Releases and News.
I am blocking all egress access from Solarwinds servers.
Just received an email from Solarwinds - seems like I am affected. I'm on 2019.4
Here's the email
"Dear Customer,We have just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 through 2020.2.1.We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed incident, as opposed to a broad, system-wide attack. We are recommending that you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal.If you aren’t sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfixes you have applied, please go here.In addition, we recommend you review the guidance provided in the Secure Configuration for the Orion Deployment document available here.Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers. For more information go to solarwinds.com/securityadvisory.SolarWinds thanks you for your continued patience and partnership as we continue to work through this issue. We will continue to keep you updated of any new developments or findings. If you have any immediate questions prior to our next update, please contact Customer Support at 1-866-530-8040 or swisupport@solarwinds.com.Yours sincerely,
Kevin ThompsonPresident & CEOSolarWinds, Inc"
We decided to not take any chances with our information.
I will note that the security advisory got caught in our junk mail folders, so I HIGHLY recommend checking there. We got ours at 20:35 CST, after we'd started our own internal incident response.
Went to my junk folder as well! I am not running an affected version.
There is a page with more details on affect area's and patching expected the 15th:
https://www.solarwinds.com/securityadvisory
2019.4 is listed as affected
Every SolarWinds Orion user should read the following two links and follow through with their systems immediately.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
@danielleh, thanks for your prompt reply already. It would be great to see a pinned post or hero banner for everyone who logs into Thwack. Our thoughts are with everyone at SolarWinds and customers who will be scrambling on this one!
Windows Defender from 2020-12-12 seem to protects from this threat: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132
Not sure why people are linking to the fireeye hack. They had their internal systems compromised, and their red team tools stolen. Which are basically open source tools, readily available. They're also using known exploits and no 0days.
From what I know of the Orion hack, this is a supply chain hack, so their FTP or similar has been compromised, and their code replaced with additional code. Seems the US government was the target, as they've advised two departments have been compromised.
This is concerning either way, especially as it seems this hack has been present for quite some time. And I would've expected a company the size of SolarWinds to be having pentests regularly to find these issues.
Is 2018.4 HF3 affected?
Does anyone know if 2020.2 RC2 was already patched? I've run the HF1 upgrader, but was already running 2020.2 RC2 and it says I'm up-to-date. I'm hopeful I've been immune since May when I installed RC2 but worried the upgrader sees the code as up to date but actually wasn't fixed on the back-end of RC2.
@mlathamuk I guess its effected for the builds for versions 2019.4 through 2020.2.1.
So, as I read all this, and note that we upgraded to 200.2.1 only last week then it appears we are already sorted - in as far as we can?
Is that right?
Ooooh, you have made the BBC news....
https://www.bbc.co.uk/news/world-us-canada-55265442
next hotfix should be out tomorrow..... install this as well
They're linking to it because the attack vector for the Fireeye hack was Solarwinds, I believe.
The email received from Solarwinds indicates that an upgrade to 2020.2.1 HF1 will ensure the security of our environment.
Does this also mean that if we were on HF1 already that we are immune to this attack?
Hello @danielleh,
we are currently on version 2020.2 and on central upgrade it is showing as up to date !!! what should we do ?
shall we download HF and apply it straightaway ?
Need clarity if we need to do to upgrade to 2020.2.1 first and then apply hotfix and is this not going to happen via central upgrade ?
Thanks
Anmol
Should we be removing all agents?
Are the agents affected?
I cannot keep searching these forums for latest info.
As of this writing, the link at:
is undated and has no time stamp indicating that it is the latest info. Other threads indicate that 2020.2.1 HF 1 does NOT fix this problem, and another HF is coming tomorrow. See Tony Johnson's reply at:
https://thwack.solarwinds.com/t5/NPM-Discussions/Is-2020-2-RC2-immune-to-SUNBURST-Solorigate-Offline-HF-installer/m-p/612461
I think this thread should be closed, and a pointer to single canonical thread from SolarWinds should be open with the latest info, and that thread should be closed to general replies, and a timestamp added by SolarWinds indicating that it's still the latest info.
Here is some background reading on what is going on with Solarwinds Orion. Reports are coming out that a supply chain attack of Solarwinds Orion was used in the breech of FireEye and US Government resources.Newshttps://mobile.reuters.com/article/amp/idUSKBN28N/https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/From Solarwindshttps://www.solarwinds.com/securityadvisory/From FireEyehttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlIOC's from Githubhttps://github.com/fireeye/sunburst_countermeasures/DHS Emergency Directive 21-01. Mitigate SolarWinds Orion Code Compromise.https://cyber.dhs.gov/ed/21-01/
No, it will NOT protect you from this exploit. It will merely "...make it more difficult to exploit the vulnerability". That's why they are working on HF2 to actually fix the problem.
Any word on the agents?
according to fireeye, it seems to be infra only (agent does not have the two impacted exe)
It would be best to read the full details in the links from SolarWinds, FireEye, and SANs, but in short: the compromised file is a core DLL and not the agents themselves. @sjocchiogrosso @familyofcrowes
These links have the actual details that you won't find in news articles:
I notice a timestamp at the top of the advisory page now.
Thanks!
Helpful info to search for hashes from SANS:
https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/26884/
What you should do at this point:
The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]
The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)
IOCs from Microsoft's report:
Bill
In some crazy way if FireEye hadn't noticed the breach they had this could have gone on a lot longer. Of those of us affected it's a drag but geesh if this hadn't been noticed and kept going on just think what it could have meant. This isn't some kid in his basement that did this. It's actually pretty elegant how this APT works trying to hide it's tracks. We should probably be glad this isn't worse than it already is.
The strange thing here is I do not see SolarWinds Core Business Layer v2020.2.15300.12766 noted - and that version appears to have been in place possibly as early as 2020/09/15 on my system for 2020.2.1?
Is the scope of versions going to change possibly? This runs through May 2020 for File Version: 2020.2.5300.12432 - but Orion 2020.2.1 was released 2020/08/25? (https://documentation.solarwinds.com/en/Success_Center/NPM/Content/Release_Notes/NPM_2020-2-1_Release_Notes.htm)
Is 2020.2.1 in reality not included? Or did the SolarWinds.Orion.Core.BusinessLayer.dll not change in that release since May? When did it change? Because I have reference to the bad .dll (2020.2.5300.12432) on 8/24, but reference to 2020.2.15300.12766 on 9/15.
2020-09-15 09:00:13,971 [41] VERBOSE ServiceDirectoryLocalCache - Service Directory in-memory cache added a service 'Core.BusinessLayer', logical instance 'engine:15' @ server '12', instance v2020.2.15300.12766
Latest update
"We should be glad this isn't worse than it already is."I'm pretty sure it's a lot worse than it already is.
Exactly - it's been going on for months, they've had an eternity to gather data. This is just beginning.
