[WARNING] SolarWinds Orion source of FireEye and USGov agencies attack.

nlinecomputers

nlinecomputers

Well-Known Member
Reaction score
8,566
Location
Midland TX
Form an email I just got. It has also been reported on the news.



We have just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 through 2020.2.1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed incident, as opposed to a broad, system-wide attack.

At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central.

If you own a SolarWinds Orion product, we recommend you visit www.solarwinds.com/securityadvisory for more detailed information. If you have any immediate questions, please contact Customer Support at 1-866-530-8040 or swisupport@solarwinds.com.

Security and trust in our software are the foundation of our commitment to our customers. Thank you for your continued patience and partnership as we continue to work through this issue.

Thank you,

SolarWinds MSP Logo

John Pagliuca | President | SolarWinds MSP
 
Appears SolarWinds was the way in to FireEye - https://www.databreachtoday.com/7-takeaways-supply-chain-attack-hits-solarwinds-customers-a-15585

"We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain," FireEye CEO Kevin Mandia announced in a Sunday blog post. "This compromise is delivered through updates to a widely used IT infrastructure management software - the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors."
 
On Fireeye, it specifically mentioned Windows, Office, and one Zoho product as having reported vulnerabilities but the report I read didn't specify the best course of action for addressing it. I do not have any RMM clients so Solarwinds doesn't directly impact me, though do have a few with Zoho Assist setup for unattended access. Beyond Windows, Office, & AV updates (and AV scan), what are the best practices for checking machines?
 
Unless you use Orion from Solarwinds there is nothing for you to do. The affected services have to patch their own stuff as I understand it. IOW Microsoft and Zoho need to patch their servers and check for other software. As I understand the sequence of events the SolarWinds product Orion is what was hacked. FireEye was the first to discover the issue, they informed SW and from there we are learning of other SW customers that also got hacked. Orion is an Enterprise product so people in the SOHO and SMB markets are unlikely to be directly affected. This of course is subject to change as everyone starts checking for malware.
 
FireEye was breached recently, and it looks like Solwarwinds was the vector for the breach too.

Google's auth was busted this morning for a time... I assume they were doing something to mitigate this.
FireEye's research on this is months old... so this might actually explain Oct's M365 Authentication outage.

The rest of us need to ensure our domain controllers are patched as soon as possible.
 
Unless you are using the Orion product it looks like you are in the clear. That is the source of the malware. What has not been mentioned so far is how the hackers broke into SW to plant the compromised update.
 
nlinecomputers said:
The affected services have to patch their own stuff as I understand it.
Click to expand...

'Twas ever thus. And I don't count instances where a service that has no inherent problems with its code, but uses something that does, has to wait for the affected thing they use to be patched. Interdependency is a separate issue from who's responsible for actually patching something.
 
nlinecomputers said:
Unless you are using the Orion product it looks like you are in the clear. That is the source of the malware. What has not been mentioned so far is how the hackers broke into SW to plant the compromised update.
Click to expand...

Partially incorrect, the malware was sent via Solarwinds unified update architecture, and stemmed from a compromised code signing certificate.

Which is to say, the attack demonstrated the ability to sign malware as an official Solarwinds update. The breach therefore implicates every singe piece of Solwarwinds software that updates from Solwarwinds automatically. Which is just about everything they sell.

That's why the big boys are freaking out... this attacks the SSL trust chain at the root.

So we have a breach, and a larger problem the breach illustrated we have to mitigate. But for the most part it just means some slightly more aggressive patching than normal for us mere pleebs.
 
Last edited:
Sky-Knight said:
Partially incorrect, the malware was sent via Solarwinds unified update architecture, and stemmed from a compromised code signing certificate.

Which is to say, the attack demonstrated the ability to sign malware as an official Solarwinds update. The breach therefore implicates every singe piece of Solwarwinds software that updates from Solwarwinds automatically. Which is just about everything they sell.

That's why the big boys are freaking out... this attacks the SSL trust chain at the root.

So we have a breach, and a larger problem the breach illustrated we have to mitigate. But for the most part it just means some slightly more aggressive patching than normal for us mere pleebs.
Click to expand...
You have a source for that?
 
Sky-Knight said:
Which is to say, the attack demonstrated the ability to sign malware as an official Solarwinds update. The breach therefore implicates every singe piece of Solwarwinds software that updates from Solwarwinds automatically. Which is just about everything they sell.
Click to expand...

Implicates, yes, confirms, no. And that's not a criticism of your observation, but it is important not to believe that "every single piece" is affected until or unless that can be confirmed.

The sky is not yet falling.
 
nlinecomputers said:
You have a source for that?
Click to expand...

Scroll up, I linked the Microsoft Security Blog on the topic. SAML certificate breaches aren't trivial.

And @britechguy yes the sky is falling right this second, there just isn't anything we can do about it. We're just keeping an eye out for a patch, and given the nature of things it may not be ready until after the new year. Which is fine, Google managed to break their authentication this morning apparently over this. So I'm in no huge hurry, but you can bet your last dollar I'll be making sure all systems are fully patched mid-Jan.

But I also don't have any Federated trusts... so unless you're managing a merged AD / AAD environment it's not that big of a deal... yet.
 
Sky-Knight said:
Scroll up, I linked the Microsoft Security Blog on the topic. SAML certificate breaches aren't trivial.
Click to expand...
That's the method. It's not an indication of WHO within the SW infrastructure, most of which are separate only OWNED BY SW. Doesn't mean it's not possible but it's only speculation at this point.
 
It is, but given the damage that's already been done I'll just be more vigilant about patching for the next 60 days and not have to think about it anymore.

That applies to my RMM, and everything else too. It's December anyway, audit month is ago.
 
Sky-Knight said:
It is, but given the damage that's already been done I'll just be more vigilant about patching for the next 60 days and not have to think about it anymore.

That applies to my RMM, and everything else too. It's December anyway, audit month is ago.
Click to expand...
Yep, Paranoia is never a bad thing in this industry. LOL.
 
You must log in or register to reply here.

Similar threads

AlexanderCS
SolarWinds Orion Security Advisory
Replies
0
Views
580
AlexanderCS
AlexanderCS
nlinecomputers
SolarWinds MSP Changing Name...again
Replies
9
Views
1K
Sky-Knight
Sky-Knight
Back
Top