SolarWinds’ recent filing with the Securities and Exchange Commission (SEC) claims that only 18,000 customers installed the malware-laced Orion software updates. This is contrary to initial media reports suggesting all 300,000 of SolarWinds’ customers were affected.
The SEC filing adds that the Texas-based company notified all 33,000 customers who were using Orion. SolarWinds’ security advisory also clarified that the affected updates were released between March and June 2020 and only affected app versions 2019.4 to 2020.2.1.
Meanwhile, Microsoft has identified more than 40 customers actively targeted by threat actors seeking to exploit the SolarWinds backdoor.
Various public and private organizations including the Treasury and Commerce departments have reported Orion software-related breaches on their networks. The breach subsequently exploited vulnerabilities in at least three software products from Microsoft, SolarWinds, and VMware to spread laterally across the organizations.
SolarWinds Orion software is used for IT inventory management and monitoring by many organizations including government agencies and 80% of the Fortune 500 companies. The software earned about $347 million for the first three-quarters of the year, contributing to almost 45% of SolarWinds’ annual revenue.
Russian hackers behind SolarWinds backdoor maintained strong persistence on the systems
Cybersecurity firm FireEye was tracking the nine-month-long malware update campaign as “UNC2452.” The SolarWinds hack is blamed on a nation-state actor who breached the SolarWinds’ network and inserted malware into Orion updates. Various sources attribute the attack to Russian hackers identified as APT29, or Cozy Bear, affiliated with the Russian Foreign Intelligence Service (SVR).
However, Trump disputed that Russia was involved but instead blamed China for introducing the SolarWinds backdoor. U.S. Senator Richard J. Durbin (D-IL) said that the cyberattack on U.S. organizations represents an act of war.
SolarWinds backdoor was attached through a dynamic-link library (DLL) file
FireEye earlier reported that the breach involved the injection of malicious code into SolarWinds Orion updates, thus introducing the SolarWinds backdoor named SUNBURST. The infected library was identified as “SolarWinds.Orion.Core.BusinessLayer.dll” and was shipped alongside Orion program files and loaded during runtime.
Once loaded, the DLL started a service that contacted avsvmcloud.com to install secondary payloads, spread across the network, or exfiltrate data.
The malware would remain dormant on the system for about 12-14 days to avoid detection before contacting the command-and-control center. Once activated, the SolarWinds backdoor allowed attackers to install additional stealthy malware payloads on the affected computers.
The implicated servers were hosted on commercial cloud services such as GoDaddy, Amazon, and Microsoft. Additionally, they used US-based IP addresses to camouflage their activities. The malware evaded detection by the Department of Homeland Security’s Einstein threat detection system because it was a new variant hardly encountered in the wild.
The problem is exacerbated by the requirement that users exclude antivirus protection for files and directories of Orion products because they triggered antivirus warnings.
Microsoft notified 40 actively-targeted customers
Microsoft said that it notified 40 customers targeted using the SolarWinds backdoor. While 80% of the affected customers are located in the United States, the threat actors were also targeting clients in Canada, Mexico, Belgium, Spain, Israel, the United Kingdom, and the United Arab Emirates.
Microsoft also reported that 44% of the targeted companies were in the technology sector, while others included government organizations, think tanks, and NGOs. SolarWinds also confirmed that the malware-infected Orion Software was exploited to breach its network.
Microsoft President Brad Smith said that the supply chain attack was “an act of recklessness that created a serious technological vulnerability for the United States and the world.” Referring to the Russian involvement, Smith wrote that the SolarWinds hack was not an attack on specific targets but an assault on the “trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Some organizations breached using the SolarWinds backdoor include various US federal agencies, including CISA, US Cyber Command, the National Telecommunications and Information Administration (NTIA), the Federal Bureau of Investigation (FBI), the National Nuclear Security Administration, US Departments of Commerce, Homeland Security, Treasury and Veterans Affairs.
Reuters reported that SolarWinds backdoor attacks targeted a small subset of high-value targets, leaving most of the SolarWinds’ customers safe. Most Orion customers also reported the presence of the infected updates, but no additional indicators of compromise or secondary payloads were deployed.