A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies seemingly exploited software from Texas-based software company SolarWinds, with malware pushed via booby-trapped updates. Orion—is used by “hundreds of thousands of organizations globally,” The Associated Press (AP) reported on Sunday. Shares of SolarWinds (NYSE:SWI) have gotten crushed today, down by 17% as of 12:05 p.m. EST, after hackers were able to attack multiple U.S. federal agencies by compromising SolarWinds’ systems. “Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds,” Microsoft noted, and added that the backdoor was distributed via automatic update platforms or systems in target networks. SolarWinds has filed a report with the U.S. SEC, in which it stated that “the vulnerability … was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.”
Also, that it “currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” and that the attackers likely breached the company by compromising company emails (they use Microsoft Office 365 for its email and office productivity tools). Kevin Thompson, SolarWinds president and CEO, said his company is “aware of a potential vulnerability” that may have been in “updates which were released between March and June 2020 to our Orion monitoring products.” FireEye says it found a backdoored .dll file that was uploaded to and available from the downloads section of SolarWinds’ site.
More than 425 of the US Fortune 500
All of the top 10 US telecommunications companies
All five branches of the US military
The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
All of the top five US accounting firms
As news breaks about what looks to be a pretty large-scale hack, I have the utmost confidence in the @CISAgov team and other Federal partners. I’m sorry I’m not there with them, but they know how to do this. This thing is still early, I suspect. Let’s let the pros work it.
— Chris Krebs (@C_C_Krebs) December 13, 2020
FireEye has posted an analysis of the injected malicious code, and says it’s present in a file called SolarWinds.Orion.Core.BusinessLayer.dll, which it describes as a “digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.”
FireEye says that once the .dll reaches a machine it remains dormant for up to two weeks, but then comes to life and “retrieves and executes commands, called ‘Jobs’, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
“The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
FireEye continues: “The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds executable SolarWind.BusinessLayerHost.exe or SolarWindws.BusinessLayerHostx64.exe (depending on system configuration).”
The malware then goes dormant for another fortnight before attempting to resolve a subdomain of avsvmcloud[.]com. “The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications.”
FireEye says it has “detected this activity at multiple entities worldwide.”
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”
SolarWinds said in SEC documents today that in the first three quarters of 2020, revenue from the Orion product line brought in approximately $343 million, representing about 45% of the company’s total revenue.
If customers end up abandoning the app, the fallout from this security breach will end up having a major impact on SolarWinds’ bottom line as well.