Helpful info to search for hashes from SANS:

https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/...

What you should do at this point:

1. Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
2. CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8]
3. Quick check for the following indicators:
   (1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or
   %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
   (2) if so, the malicious version uses this Singer and SingerHash:
        "Signer": "Solarwinds Worldwide LLC"
         "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"
   (3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
   (4) check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs)

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)

IOCs from Microsoft's report:

• several malicious DLLs where identified
  • Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
    Sha1: 76640508b1e7759e548771a5359eaed353bf1eec
    File Size: 1011032 bytes
    File Version: 2019.4.5200.9083
    Date first seen: March 2020
  • Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
    Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
    File Size: 1028072 bytes
    File Version: 2020.2.100.12219
    Date first seen: March 2020
  • Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
    Sha1: e257236206e99f5a5c62035c9c59c57206728b28
    File Size: 1026024 bytes
    File Version: 2020.2.100.11831
    Date first seen: March 2020
  • Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
    Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
    File Size: 1026024 bytes
    File Version: not available
    Date first seen: March 2020
  • Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
    Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
    File Size: 1029096 bytes
    File Version: 2020.4.100.478
    Date first seen: April 2020
  • Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
    Sha1: 2f1a5a7411d015d01aaee4535835400191645023
    File Size: 1028072 bytes
    File Version: 2020.2.5200.12394
    Date first seen: April 2020
  • Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
    Sha1: d130bd75645c2433f88ac03e73395fba172ef676
    File Size: 1028072 bytes
    File Version: 2020.2.5300.12432
    Date first seen: May 2020
• the malicious DLLs connect to infrastructure using the avsvmcloud.com domain. 

Bill

It would be best to read the full details in the links from SolarWinds, FireEye, and SANs, but in short: the compromised file is a core DLL and not the agents themselves. @sjocchiogrosso @familyofcrowes 

These links have the actual details that you won't find in news articles:

• Security Advisory | SolarWinds
• InfoSec Handlers Diary Blog (sans.edu)
• Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With...

Any word on the agents?

Here is some background reading on what is going on with Solarwinds Orion.  Reports are coming out that a supply chain attack of Solarwinds Orion was used in the breech of FireEye and US Government resources.

News
https://mobile.reuters.com/article/amp/idUSKBN28N/
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

From Solarwinds
https://www.solarwinds.com/securityadvisory/

From FireEye
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-ch...

IOC's from Github
https://github.com/fireeye/sunburst_countermeasures/

DHS Emergency Directive 21-01.  Mitigate SolarWinds Orion Code Compromise.
https://cyber.dhs.gov/ed/21-01/

I cannot keep searching these forums for latest info.

As of this writing, the link at:

https://www.solarwinds.com/securityadvisory

is undated and has no time stamp indicating that it is the latest info. Other threads indicate that  2020.2.1 HF 1  does NOT fix this problem, and another HF is coming tomorrow. See Tony Johnson's reply at:

https://thwack.solarwinds.com/t5/NPM-Discussions/Is-2020-2-RC2-immune-to-SUNBURST-Solorigate-Offline...

I think this thread should be closed, and a pointer to single canonical thread from SolarWinds should be open with the latest info, and that thread should be closed to general replies, and a timestamp added by SolarWinds indicating that it's still the latest info.

Should we be removing all agents?  

Are the agents affected?

Ooooh, you have made the BBC news....

https://www.bbc.co.uk/news/world-us-canada-55265442

Does anyone know if 2020.2 RC2 was already patched? I've run the HF1 upgrader, but was already running 2020.2 RC2 and it says I'm up-to-date. I'm hopeful I've been immune since May when I installed RC2 but worried the upgrader sees the code as up to date but actually wasn't fixed on the back-end of RC2.

Is 2018.4 HF3 affected?

Not sure why people are linking to the fireeye hack.  They had their internal systems compromised, and their red team tools stolen.  Which are basically open source tools, readily available.  They're also using known exploits and no 0days.

From what I know of the Orion hack, this is a supply chain hack, so their FTP or similar has been compromised, and their code replaced with additional code.  Seems the US government was the target, as they've advised two departments have been compromised.

This is concerning either way, especially as it seems this hack has been present for quite some time.  And I would've expected a company the size of SolarWinds to be having pentests regularly to find these issues.

Windows Defender from 2020-12-12 seem to protects from this threat: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/So...