Helpful info to search for hashes from SANS:
What you should do at this point:
The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons  and the recently released Cobalt Strike TLS fingerprints for JARM 
The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)
IOCs from Microsoft's report:
The strange thing here is I do not see SolarWinds Core Business Layer v2020.2.15300.12766 noted - and that version appears to have been in place possibly as early as 2020/09/15 on my system for 2020.2.1?
Is the scope of versions going to change possibly? This runs through May 2020 for File Version: 2020.2.5300.12432 - but Orion 2020.2.1 was released 2020/08/25? (https://documentation.solarwinds.com/en/Success_Center/NPM/Content/Release_Notes/NPM_2020-2-1_Releas...)
Is 2020.2.1 in reality not included? Or did the SolarWinds.Orion.Core.BusinessLayer.dll not change in that release since May? When did it change? Because I have reference to the bad .dll (2020.2.5300.12432) on 8/24, but reference to 2020.2.15300.12766 on 9/15.
2020-09-15 09:00:13,971  VERBOSE ServiceDirectoryLocalCache - Service Directory in-memory cache added a service 'Core.BusinessLayer', logical instance 'engine:15' @ server '12', instance v2020.2.15300.12766
In some crazy way if FireEye hadn't noticed the breach they had this could have gone on a lot longer. Of those of us affected it's a drag but geesh if this hadn't been noticed and kept going on just think what it could have meant. This isn't some kid in his basement that did this. It's actually pretty elegant how this APT works trying to hide it's tracks. We should probably be glad this isn't worse than it already is.
It would be best to read the full details in the links from SolarWinds, FireEye, and SANs, but in short: the compromised file is a core DLL and not the agents themselves. @sjocchiogrosso @familyofcrowes
These links have the actual details that you won't find in news articles:
Here is some background reading on what is going on with Solarwinds Orion. Reports are coming out that a supply chain attack of Solarwinds Orion was used in the breech of FireEye and US Government resources.
IOC's from Github
DHS Emergency Directive 21-01. Mitigate SolarWinds Orion Code Compromise.
I cannot keep searching these forums for latest info.
As of this writing, the link at:
is undated and has no time stamp indicating that it is the latest info. Other threads indicate that 2020.2.1 HF 1 does NOT fix this problem, and another HF is coming tomorrow. See Tony Johnson's reply at:
I think this thread should be closed, and a pointer to single canonical thread from SolarWinds should be open with the latest info, and that thread should be closed to general replies, and a timestamp added by SolarWinds indicating that it's still the latest info.
Does anyone know if 2020.2 RC2 was already patched? I've run the HF1 upgrader, but was already running 2020.2 RC2 and it says I'm up-to-date. I'm hopeful I've been immune since May when I installed RC2 but worried the upgrader sees the code as up to date but actually wasn't fixed on the back-end of RC2.
Not sure why people are linking to the fireeye hack. They had their internal systems compromised, and their red team tools stolen. Which are basically open source tools, readily available. They're also using known exploits and no 0days.
From what I know of the Orion hack, this is a supply chain hack, so their FTP or similar has been compromised, and their code replaced with additional code. Seems the US government was the target, as they've advised two departments have been compromised.
This is concerning either way, especially as it seems this hack has been present for quite some time. And I would've expected a company the size of SolarWinds to be having pentests regularly to find these issues.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.