cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 13

Solarigate Infected Web Front End - Pre-March 2020

Jump to solution

We have found it on a Web Front End (Internet facing) that hasn't been updated since July 2019.

So I highly recommended scanning all of your systems regardless of Orion version. This was surprising to us since everyone is feeling safe on old versions. 🙂

************** UPDATE - FALSE POSITIVE  🙂

 

 

1 Solution
Community Manager
Community Manager

Microsoft initially released an update to their antimalware definitions that incorrectly flagged a safe version of that file from our release (App_Web_logoimagehandler.ashx.b6031896.dll) as malicious. A few hours ago (at 6:16PM UTC) Microsoft released another update 1.329.456.0 for their antimalware definitions without the false positive. Your old version of Orion should not be impacted, so please update your definitions and check again.

See also https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes

View solution in original post

16 Replies
Community Manager
Community Manager

Microsoft initially released an update to their antimalware definitions that incorrectly flagged a safe version of that file from our release (App_Web_logoimagehandler.ashx.b6031896.dll) as malicious. A few hours ago (at 6:16PM UTC) Microsoft released another update 1.329.456.0 for their antimalware definitions without the false positive. Your old version of Orion should not be impacted, so please update your definitions and check again.

See also https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes

View solution in original post

Do we know if this applies to other AV vendors? We ran a scan against our 2020.2.1HF1 server and McAfee found the .dll in an .msi file from 2019.4 update we did in January.

0 Kudos
Our antivirus found the same 2019.4 HF4 is also infected
0 Kudos

We ran a scan against our 2020.2.1HF1 server and McAfee found the .dll in an .msi file from 2019.4 update we did in January.

Which DLL? netsetupsvc.dll or SolarWinds.Orion.Core.BusinessLayer.dll? What did McAfee say about the DLL? What is the signing hash, and what is the file hash of the file in question?

Many Orion products have a copy of SolarWinds.Orion.Core.BusinessLayer.dll. 

Hi, it is the BusinessLayer.dll...I am unable to see the hashing info as it is still inside the .cab inside the .msi (I haven't extracted it for fear of it running). That .dll also shows up in a few other .cab file. See attached picture. The dates on the .msi files is 1/24/2020. McAfee hasn't gotten back to us yet.

image001.png

There have been false positives and false negatives in several AV products, because information on affected hashes, dates, and filenames has not been consistent.

I would quarantine the files, and pull manual file and signing hashes, file creation and mod dates if possible. That would let you confirm infection and share info with others reliably.

 

0 Kudos

SCEP is very unhappy. Nightmare.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Program Files (x86)\SolarWinds\Orion\NetPerfMon-WebSite.precompiled.zip
containerfile:C:\ProgramData\SolarWinds\Installers\CoreInstaller.msi
containerfile:C:\ProgramData\SolarWinds\Installers\SolarWinds-Core-v2018.2.5220-Hotfix5.msp
containerfile:C:\Windows\Installer\1f2819de.msp
containerfile:C:\Windows\Installer\6122ff.msi
file:C:\$Recycle.Bin\S-1-5-21-2724978818-1296804354-3809749206-1109\$R3J0X21\6faafa1c\92094bad\assembly\dl3\54ad5082\5ad9329c_e52bd501\App_Web_logoimagehandler.ashx.b6031896.DLL
file:C:\$Recycle.Bin\S-1-5-21-2724978818-1296804354-3809749206-1109\$R3J0X21\6faafa1c\92094bad\assembly\dl3\54ad5082\5ad9329c_e52bd501_0\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\Program Files (x86)\SolarWinds\Orion\NetPerfMon-WebSite.precompiled.zip->bin\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\ProgramData\SolarWinds\Installers\CoreInstaller.msi->OrionCore.cab->NetPerfMon_WebSite.precompiled.zip->bin\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\ProgramData\SolarWinds\Installers\SolarWinds-Core-v2018.2.5220-Hotfix5.msp->RTM.cab->NetPerfMon_WebSite.precompiled.zip->bin\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\Users\AppData\Local\Temp\solarwinds.orion.precompiled.mtuci4q2.hnd\bin\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\Windows\Installer\1f2819de.msp->RTM.cab->NetPerfMon_WebSite.precompiled.zip->bin\App_Web_logoimagehandler.ashx.b6031896.dll
file:C:\Windows\Installer\6122ff.msi->OrionCore.cab->NetPerfMon_WebSite.precompiled.zip->bin\App_Web_logoimagehandler.ashx.b6031896.dll

 

I would recommend quarantining and getting file hashes, if possible, since there have been false positives and false negatives in various products over the last few days.

Filenames, file hashes, signing hashes, file create and mod dates are all useful info in determining effects on your system Don't throw away evidence.

0 Kudos
Product Manager
Product Manager

Make sure you check out the details in our Security Advisory. It outlines the impacted versions and is being kept up to date with the latest information we have available. It also has links to additional resources.

Your antivirus vendor can probably provide details around how they're coming up with that detection result.

This would go against the information currently out there, so my feeling is the Anti-Malware is using a signature match incorrectly, as this Orion version is 2 full version behind the first published version affected.

I'm beginning to believe this could be a false positive like you said, I wish I could get proof or if other people can scan and see if these DLLs are triggering false pozzies.

I also witnessed a False Positive result from Qualys on these files.  The detections did not check for the hashes, certificate signature or the file creation date (all were different from the IOCs)

Paul

0 Kudos
Level 10

Starting to look more and more like an angry ex employee and not Russia. 🙂

Chinese partnership back in May is also interesting, but the above suggests that it has been around longer than that.

https://www.businesswire.com/news/home/20200517005007/en/SolarWinds-Expands-Partnership-With-M.Tech-...

Attribution is notoriously difficult.  We can assume that all attackers of this level leave clues to implicate another foreign power.

Deleted - bogus post. 🙂

I think they got the hack when they purchased N-central as i remember of a similar problem 2 or 3 years back when they rebrand it to MSP.

0 Kudos