SolarWinds – an American software vendor for managing networks and infrastructure has been breached. Orion, a network monitoring product was modified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This allowed remote access into the victim’s environment and a foothold in their networks; this enabled attacker to obtain privileged credentials.
The SolarWinds Orion products are designed to monitor the networks of systems and report on any security issues. Due to this, there are no comparable limiting boundaries on the scope or potential security impact; this has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to compromise tools and code that would then enable them to target other victims. After Microsoft discovered that they were breached via the SolarWinds compromise, they further discovered that their own products were then used “to further the attacks on others.”
The attack was initially disclosed by the cybersecurity firm, FireEye, as early as December 8th but published publicly on 13th. It was revealed that the attack on SolarWinds was conducted by an unknown APT (Advanced Persistent Threat) group. They were able to steal Red Team assessment tools, similarly, used by FireEye to probe its customers’ security. FireEye has made its countermeasures freely available on GitHub.
According to Microsoft, hackers acquired superuser access to SAML token-signing certificates. This SAML certificate was then used to forge new tokens to allow hackers to obtain trusted and highly privileged access to networks.
While analyzing further on this attack, it was discovered that there was another backdoor likely from a second threat actor. This malware was dubbed as SUPERNOVA. This was a web shell planted in the code of the Orion network and applications monitoring platform and enabled attackers to run arbitrary code on machines running the trojanized version of the software.