cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 16

Hackers getting in via NPM maybe

Jump to solution
1 Solution
Community Manager
Community Manager
SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability. More information is available at solarwinds.com/securityadvisory.

View solution in original post

46 Replies

Latest update

superfly_0-1607988302103.png

 

0 Kudos

Helpful info to search for hashes from SANS:

https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/...

What you should do at this point:

  1. Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely all or most of your network)
  2. CISA recommends disconnecting/powering down affected versions of SolarWinds Orion [8]
  3. Quick check for the following indicators:
    (1) is SolarWinds.Orion.Core.BusinessLayer.dll present? It may be located in %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll or
    %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
    (2) if so, the malicious version uses this Singer and SingerHash:
         "Signer": "Solarwinds Worldwide LLC"
          "SignerHash": "47d92d49e6f7f296260da1af355f941eb25360c4"
    (3) the existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a compromise
    (4) check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g. review DNS logs)

The malicious code included with the affected versions of SolarWinds may include a Cobalt Strike implant. See Didier's diary from last week for details on analyzing Cobalt Strike beacons [3] and the recently released Cobalt Strike TLS fingerprints for JARM [4]

The backdoor is part of SolarWinds.Orion.Core.businessLayer.dll. This is a legitimate DLL that is modified by the attacker. The DLL is digitally signed by "Solarwinds Worldwide, LLC". The update was distributed using the legitimate SolarWinds updates website (hxxps:// downloads[.]solarwinds[.]com)

IOCs from Microsoft's report:

  • several malicious DLLs where identified
    • Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
      Sha1: 76640508b1e7759e548771a5359eaed353bf1eec
      File Size: 1011032 bytes
      File Version: 2019.4.5200.9083
      Date first seen: March 2020
    • Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
      Sha1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
      File Size: 1028072 bytes
      File Version: 2020.2.100.12219
      Date first seen: March 2020
    • Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
      Sha1: e257236206e99f5a5c62035c9c59c57206728b28
      File Size: 1026024 bytes
      File Version: 2020.2.100.11831
      Date first seen: March 2020
    • Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
      Sha1: bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387
      File Size: 1026024 bytes
      File Version: not available
      Date first seen: March 2020
    • Sha256: ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
      Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
      File Size: 1029096 bytes
      File Version: 2020.4.100.478
      Date first seen: April 2020
    • Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
      Sha1: 2f1a5a7411d015d01aaee4535835400191645023
      File Size: 1028072 bytes
      File Version: 2020.2.5200.12394
      Date first seen: April 2020
    • Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
      Sha1: d130bd75645c2433f88ac03e73395fba172ef676
      File Size: 1028072 bytes
      File Version: 2020.2.5300.12432
      Date first seen: May 2020
  • the malicious DLLs connect to infrastructure using the avsvmcloud.com domain. 

Bill

The strange thing here is I do not see SolarWinds Core Business Layer v2020.2.15300.12766 noted - and that version appears to have been in place possibly as early as 2020/09/15 on my system for 2020.2.1?

Is the scope of versions going to change possibly? This runs through May 2020 for File Version: 2020.2.5300.12432 - but Orion 2020.2.1 was released 2020/08/25? (https://documentation.solarwinds.com/en/Success_Center/NPM/Content/Release_Notes/NPM_2020-2-1_Releas...

Is 2020.2.1 in reality not included?  Or did the SolarWinds.Orion.Core.BusinessLayer.dll not change in that release since May?  When did it change?  Because I have reference to the bad .dll  (2020.2.5300.12432) on 8/24, but reference to 2020.2.15300.12766 on 9/15.

2020-09-15 09:00:13,971 [41] VERBOSE ServiceDirectoryLocalCache - Service Directory in-memory cache added a service 'Core.BusinessLayer', logical instance 'engine:15' @ server '12', instance v2020.2.15300.12766

In some crazy way if FireEye hadn't noticed the breach they had this could have gone on a lot longer.  Of those of us affected it's a drag but geesh if this hadn't been noticed and kept going on just think what it could have meant.  This isn't some kid in his basement that did this.  It's actually pretty elegant how this APT works trying to hide it's tracks.  We should probably be glad this isn't worse than it already is.

Bill

"We should be glad this isn't worse than it already is."

I'm pretty sure it's a lot worse than it already is.

Exactly - it's been going on for months, they've had an eternity to gather data.  This is just beginning. 

0 Kudos

It would be best to read the full details in the links from SolarWinds, FireEye, and SANs, but in short: the compromised file is a core DLL and not the agents themselves. @sjocchiogrosso @familyofcrowes 

These links have the actual details that you won't find in news articles:

Level 11

Any word on the agents?

0 Kudos

according to fireeye, it seems to be infra only (agent does not have the two impacted exe)

0 Kudos

Here is some background reading on what is going on with Solarwinds Orion.  Reports are coming out that a supply chain attack of Solarwinds Orion was used in the breech of FireEye and US Government resources.

News

https://mobile.reuters.com/article/amp/idUSKBN28N/
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

From Solarwinds
https://www.solarwinds.com/securityadvisory/

From FireEye
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-ch...

IOC's from Github
https://github.com/fireeye/sunburst_countermeasures/

DHS Emergency Directive 21-01.  Mitigate SolarWinds Orion Code Compromise.
https://cyber.dhs.gov/ed/21-01/

Level 13

I cannot keep searching these forums for latest info.

As of this writing, the link at:

https://www.solarwinds.com/securityadvisory

is undated and has no time stamp indicating that it is the latest info. Other threads indicate that  2020.2.1 HF 1  does NOT fix this problem, and another HF is coming tomorrow. See Tony Johnson's reply at:

https://thwack.solarwinds.com/t5/NPM-Discussions/Is-2020-2-RC2-immune-to-SUNBURST-Solorigate-Offline...

I think this thread should be closed, and a pointer to single canonical thread from SolarWinds should be open with the latest info, and that thread should be closed to general replies, and a timestamp added by SolarWinds indicating that it's still the latest info.

 

 

I notice a timestamp at the top of the advisory page now.

Thanks!

 

Level 16

Should we be removing all agents?  

Are the agents affected?

0 Kudos
Level 14

Ooooh, you have made the BBC news....

 

https://www.bbc.co.uk/news/world-us-canada-55265442

0 Kudos
Level 8

Does anyone know if 2020.2 RC2 was already patched? I've run the HF1 upgrader, but was already running 2020.2 RC2 and it says I'm up-to-date. I'm hopeful I've been immune since May when I installed RC2 but worried the upgrader sees the code as up to date but actually wasn't fixed on the back-end of RC2.

ss1.png

0 Kudos
Level 8

Is 2018.4 HF3 affected?

@mlathamuk I guess its effected for the builds for versions 2019.4 through 2020.2.1.

0 Kudos
Level 11

Not sure why people are linking to the fireeye hack.  They had their internal systems compromised, and their red team tools stolen.  Which are basically open source tools, readily available.  They're also using known exploits and no 0days.

From what I know of the Orion hack, this is a supply chain hack, so their FTP or similar has been compromised, and their code replaced with additional code.  Seems the US government was the target, as they've advised two departments have been compromised.

This is concerning either way, especially as it seems this hack has been present for quite some time.  And I would've expected a company the size of SolarWinds to be having pentests regularly to find these issues.

0 Kudos

They're linking to it because the attack vector for the Fireeye hack was Solarwinds, I believe.

0 Kudos
Level 13

Windows Defender from 2020-12-12 seem to protects from this threat: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/So...