Trojan in SolarWinds security has far-reaching impact

SolarWinds says a compromise of its widely used Orion network-monitoring platform endangers the networks of public and private organizations that use it and that the problem should be remediated right away.

In a security advisory, SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected in the next day or two.

The company’s managed services tools appear to be uncompromised, and the company said it isn’t aware of any similar issues with its non-Orion products, like RMM, N-Central, and SolarWinds MSP products.

FireEye, which discovered the compromise, said it has updated its scanning software to watch for known altered SolarWinds Orion binaries. In addition, Microsoft said its Defender security software has been updated to detect malicious code and has issued its own security guidance along with extensive research of the Trojan causing the problem.

FireEye’s CEO Kevin Mandia wrote in his blog that the attack was likely carried out by a nation. “The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” he wrote. He did not identify the actors, but Reuters said it was the work of Russian hackers.

Orion is part of the SolarWinds suite of network and computer management tools that includes monitoring capabilities and the ability to automatically restart services. The compromise means the attackers can bypass the security, install malicious content and restart infected systems without anyone knowing it.

The company says it has over 300,000 customers, including more than 425 of the U.S. Fortune 500, all of the top telecom, consulting, and accounting firms, the Pentagon, the State Department, the National Security Agency, the Department of Justice, and the White House. The company has 33,000 Orion customers.

Meanwhile, the federal watchdog Cybersecurity and Infrastructure Security Agency (CISA) issued a directive to federal agencies calling for them to immediately disconnect or power down Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. Agencies are prohibited from rejoining enterprise domains until CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package.

The CISA also ordered a block of all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed. It further ordered all non-military governmental systems running the Orion software to both stop running it and to disconnect compromised computers from the rest of the network by noon Monday. That was before a fix was issued.

FireEye and Microsoft have both examined the Trojan and determined that around March of this year someone managed to modify the SolarWinds Orion software during the build process. The modification included a sophisticated Trojan program, designed to remotely control any computer that had SolarWinds Orion installed.

When customers installed the latest Orion update, the Trojan was also installed. This is referred to as a “supply chain attack,” because it came through the trusted SolarWinds supply chain.

According to analysis, the Trojan would wait 12 to 14 days, then communicate with a command-and-control server, where it could install additional software and perform other tasks, including accessing an Active Directory service or monitoring network traffic.