Network monitoring services provider SolarWinds officially
released a second hotfix to address a critical vulnerability in its
Orion platform that was exploited to insert malware[1] and breach public and
private entities in a wide-ranging espionage campaign.
In a new update posted to its advisory[2]
page, the company urged its customers to update Orion Platform to
version 2020.2.1 HF 2 immediately to secure their environments.
The malware, dubbed SUNBURST (aka Solorigate), affects Orion app
versions 2019.4 through 2020.2.1, released between March 2020 and
June 2020.
“Based on our investigation, we are not aware that this
vulnerability affects other versions—including future versions—of
Orion Platform products,” the company said.
“We have scanned the code of all our software products for
markers similar to those used in the attack on our Orion Platform
products identified above, and we have found no evidence that other
versions of our Orion Platform products or our other products or
agents contain those markers.”
It also reiterated none of its other free tools or agents, such
as RMM and N-central, were impacted by the security
shortcoming.
Microsoft Seizes Domain Used in SolarWinds Hack
While details on how SolarWinds’ internal network was breached
are still awaited, Microsoft yesterday took the step of taking
control over one of the main GoDaddy domains — avsvmcloud[.]com[3]
— that was used by the hackers to communicate with the compromised
systems.
The Windows maker also said it plans to start blocking[4]
known malicious SolarWinds binaries starting today at 8:00 AM
PST.
Meanwhile, security researcher Mubix “Rob” Fuller has released
an authentication audit tool called SolarFlare[5]
that can be run on Orion machines to help identify accounts that
may have been compromised during the breach.
“This attack was very complex and sophisticated,” SolarWinds
stated[6]
in a new FAQ for why it couldn’t catch this issue beforehand. “The
vulnerability was crafted to evade detection and only run when
detection was unlikely.”
Up to 18,000 Businesses Hit in SolarWinds Attack
SolarWinds estimates that as many as 18,000 of its customers[7]
may have been impacted by the supply chain attack. But indications[8]
are that the operators of the campaign leveraged this flaw to only
hit select high-profile targets.
Cybersecurity firm Symantec said[9]
it identified more than 2,000 computers at over 100 customers that
received the backdoored software updates but added it did not spot
any further malicious impact on those machines.
Just as the fallout from the breach is being assessed, the
security of SolarWinds has attracted more scrutiny.
Not only it appears the company’s software download website was
protected by a simple password (“solarwinds123”) that was published
in the clear on SolarWinds’ code repository at Github; several
cybercriminals attempted to sell access to its computers[10] on underground forums,
according to Reuters.
In the wake of the incident, SolarWinds has taken the unusual
step of removing the clientele list[11] from its website.
References
- ^
exploited to insert malware
(thehackernews.com) - ^
advisory
(www.solarwinds.com) - ^
avsvmcloud[.]com
(whois.domaintools.com) - ^
start
blocking (www.microsoft.com) - ^
SolarFlare
(malicious.link) - ^
stated
(www.solarwinds.com) - ^
18,000
of its customers (thehackernews.com) - ^
indications
(www.reuters.com) - ^
said
(symantec-enterprise-blogs.security.com) - ^
sell
access to its computers (www.reuters.com) - ^
clientele list
(www.solarwinds.com)