I’m sure you already heard the news. Last week, we learned that (likely) Russian nation-state hackers conducted a massive APT attack that impacted thousands of companies and government agencies through tainted updates of the SolarWinds Orion platform. This sophisticated supply-chain attack ensnared over 200 public and private organizations dating back to March.
We are relativity early in the process of deconstructing this stealthy attack — more details will emerge over time, including what the Russian APT group was really after, though we do know they monitored communications of hacked organizations for months. The US Cybersecurity and Infrastructure Security Agency (CISA) called the attack a “grave risk” to national security, while others described it as devastating to the economy, infrastructure, and public trust on a level not seen since ShadowBrokers.
Attacks like these are scary as hell, but they’re not going away. That’s why it’s important to share what we know, so there doesn’t have to be a “next time.”
Massive Russian hack leaves private and public sector reeling
If you were in a minor state of shock after learning about the presumed Russian hack, you weren’t alone. As if our supply chain, infrastructure, and business security weren’t already taxed enough by the pandemic, IT teams running SolarWinds software must now contend with complex mitigation efforts to root out backdoors slipped into Orion platform updates earlier this year. The boobytrapped updates pushed the Sunburst malware onto victim networks, which then gathered recon for 12 to 14 days before sending data to a remote C&C server. If the intelligence proved fruitful, Russian threat actors then escalated their attacks on select networks.
It’s important to note that of the 18,000+ organizations that received malicious updates through Orion, only 200 were targeted for follow-on action. Therefore, many businesses may be sitting on a “dormant” version of the Sunburst malware and not yet know it. CISA advises: “Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.” However, there are a few proactive steps you can take:
- Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020
- Scan your premises using an endpoint protection product like Malwarebytes and look for detections, such as Backdoor.Sunburst and Backdoor.WebShell
- Use the Indicators of Compromise at the end of this Malwarebytes Labs blog to hunt within your logs, telemetry, and other SIEM data to learn the perspective timeline of intrusion
- Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure
- Upgrade to Orion platform version 2020.2.1 HF 2 and restore systems once you feel confident with the previous steps
For more technical information on the cyberattack from CISA: https://us-cert.cisa.gov/ncas/alerts/aa20-352a