The Blog

2020-

2020-12-14 e
THE HACK

US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor

State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

... The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated supply chain attack.

"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks," said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has released an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.

SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.

It also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

An Evasive Campaign to Distribute SUNBURST Backdoor

FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.

"This campaign may have begun as early as Spring 2020 and is currently ongoing," FireEye said in a Sunday analysis. "Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security."

This rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands ("Jobs") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.

Orion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.

... The campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.

The indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed here. (read more)

______________________

Permission is hereby granted to any and all to copy and paste any entry on this page and convey it electronically along with its URL,
______________________