Tracing the SolarWinds exploit upstream

In the past week the US Treasury, US Department of Commerce and cybersecurity company FireEye experienced breaches tied to their reliance on software supply chains and a compromise of a SolarWinds software application. Officials stated that the exploit path demonstrated all signs of a nation-state sponsored cyberattack.

Cybersecurity Live - Boston

Each of these breaches have one thing in common: the adversaries infiltrated SolarWinds Orion software applications used by each of the targets. The attack path required malicious software code to be injected upstream in the software supply chain of SolarWinds, where it would then flow downstream into their user community.

SolarWinds develops network and IT infrastructure management software solutions, including the Orion platform. The company’s clientele includes multiple federal agencies and US government organizations, such as, all five US military branches, the Pentagon, NSA, the National Oceanic and Atmospheric Administration, and the Department of Justice. It is no surprise then that this would make SolarWinds an attractive target to nation state actors looking to get their hands on mission critical government systems.

Sophisticated supply chain attack propagated downstream to 18,000 customers

The Microsoft Security Response Center team explained, the SolarWinds Orion attack started with attackers intruding through malicious code that was implanted into SolarWinds Orion instances via trojanized updates. These updates delivered a backdoor known as SUNBURST and Solorigate, which were deployed on systems running Orion platform versions. The impact? Roughly, 18,000 customers automatically pulled these malicious updates.

SolarWinds called this a “highly sophisticated, manual supply chain attack”  in a security advisory further adding:

We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”

The company has since advised users to upgrade their Orion instances to patched versions and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: