It has been brought to RedLegg’s attention that the breaches at Fireeye, The Treasury Department, and The Commerce Department are due to a supply chain attack on the SolarWinds Orion software. FireEye identified this and is referring to it as the “SunBurst Backdoor.”
It is currently believed that the attacker inserted malicious code into SolarWinds Orion software in early spring 2020. RedLegg recommends Orion users update and verify the configuration of their deployment immediately.
SolarWinds has released a hotfix for the Orion software and recommends upgrading all Orion Platforms as soon as possible to ensure the security of your environment. Additionally, RedLegg recommends all customers who use SolarWinds Orion implement FireEye’s SunBurst countermeasures signature package. The below list contains links to the SolarWinds Orion hotfix as well as other supporting documents.
- SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
- SolarWinds Orion Hotfix: https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-hotfixes
- SolarWinds Orion Version Check: https://support.solarwinds.com/SuccessCenter/s/article/Determine-which-version-of-a-SolarWinds-Orion-product-I-have-installed
- SolarWinds Orion Secure Configuration: https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/trust-center/resources/secure-configuration-in-the-orion-platform.ashx
- FireEye SunBurst Countermeasures: https://github.com/fireeye/sunburst_countermeasures
- FireEye SunBurst Write Up: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
If you have questions, please reach out to dotell@redlegg.com.
Get updates like these asap in your inbox from our threat research team by joining the Security Bulletin email list here.