Security Advisory: SolarWinds Orion
As you have likely seen in news reports over the last weeks, a series of significant security incidents occurred in earlier this month related to malicious cyber actors exploiting VMware® Access and VMware Identity Manager products and a security breach at FireEye uncovering injected malware within SolarWinds network management platform, Orion.
On Monday, December 7, 2020, the US National Security Agency released a Cybersecurity Advisory warning a flaw in virtualization software platform, VMware, was being used by Russian actors to abuse federated authentication and access protected data. Impacted applications and version along with patch information can be found in VMware’s advisory.
On Tuesday, December 8, 2020, cybersecurity firm, FireEye, disclosed their systems were attacked by a highly sophisticated threat actor likely with nation-state ties. The attackers appear to have tailored and targeted their attack specifically on FireEye acquiring internal red team tools FireEye built from malware they have seen used in a wide range of attacks encountered in customer engagements they conducted.
FireEye reports the purloined toolset does not contain any zero-day exploits and does not believe the theft will advance malware creation by malicious actors akin to the 2017 dumps of NSA tools.
During FireEye’s internal investigation into the breach, FireEye discovered code creating a hidden backdoor in SolarWinds Orion product that made its way into updates of the product released by the vendor. These infected updates were downloaded and installed by organizations following security best practices and potentially impacts around 18,000 organizations that implemented the updates as far back as March 2020.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on December 13, 2020 in response to the compromise of the SolarWinds Orion product for all federal civilian agencies. The directive calls for all organizations to assess their exposure to the compromise and secure their networks against exploitation.
The following SolarWinds Orion versions are affected:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
On December 17, 2020, CISA released a National Cyber Awareness System Alert warning of the advanced persistent threat (APT) actor dating back to early 2020 with specific details on indication of compromise and mitigation techniques. Additionally, evidence of other initial attack vectors are under investigation.
The extent breaches related to these security incidents is still developing as government agencies and public and private sector organizations analyze their exposure.
In response to these vulnerabilities, Digital Defense’s Vulnerability Research Team has created checks for the SolarWinds Orion product and affiliated CVEs in both the Frontline Vulnerability Manager™ (Frontline VM™) and Frontline Active Threat Sweep™ (Frontline ATS ™) scanners in Frontline.Cloud.
Frontline.Cloud users with questions about scanning for these conditions or requiring assistance should contact their Client Advocate.
Digital Defense will continue to monitor the situation and publish updates as information becomes available.
-- Digital Defense Vulnerability Research Team
*At the time of this case study, Fortra VM and its corresponding security solutions were referred to under the Frontline brand.