Important Announcement: SolarWinds Security Alert

Sunburst
On the 13th December, a SolarWinds® security alert was issued, identifying a security incident exists in the SolarWinds Orion® Platform covering the version builds 2019.4 Hot Fix 5 through to version 2020.2 HF1, released between March 2020 and June 2020. The attack named ‘Sunburst’ included trojanising a legitimate SolarWinds Orion update, which then has the potential to be used to compromise further parts of your network and therefore is considered a high risk security incident, for which we are advising active response by our customers is taken.

The vulnerability exists within the ‘SolarWinds.Orion.Core.BusinessLayer.dll’ file, which will remain dormant for a period of up to two weeks, which will then hide itself within genuine SolarWinds application traffic and files, making this a sophisticated and targeted attack.

The security agency FireEye identified the attack and have published a detailed description of this compromise here, which provide information on the attack vector, actors at play.

SuperNova
As part of the investigations into Sunburst, it was identified that some customer installations included a separate vulnerability. Details to date identify this is not part of the Sunburst attack and is malware designed to be hidden and placed within SolarWinds Orion website code by an external party. This malware is an unsigned file ‘App_Web_logoimagehandler.ashx.b6031896.dll’, which is placed in the IIS “Inetpub\SolarWinds\bin folder” providing a method of remote code execution as a ‘webshell’ method, a known common attack vector.

SolarWinds are maintaining their incident response at the following URL, which we suggest you use to track up to date vendor information and for which several updates have already been made since these vulnerabilities came to light.

Are you affected?

This attack is related to specific versions only and therefore the following should be performed to identify if you are at risk:

This can be checked by logging in to your Orion web UI and looking at the page footer

• Navigate to Settings > My Orion Deployment > Updates & Evaluation
• You will see under this page if any updates are available (Internet access is required at this stage)

SolarWinds have also released a couple of PowerShell based scripts to allow you to identify if you have the compromised files on your Orion servers:

Sunburst Script

SuperNova Script

What should you do?

The first considerations are to plan to mitigate the risk, which involves performing an upgrade of the Orion platform to the latest version release 2020.2.1 HF2 or if running any version of 2019.4 to upgrade either to 202.2.1 HF2 or 2019.4 HF6. For versions prior to 2019.4, it is a choice between upgrading all the way to 2020.2.1 HF2 (I do not foresee a reason to stop midway on 2019.4 HF6) or to apply the correct Security Patch for your version. The security patch will be quicker to apply, which deals only with the SuperNova vulnerability and to confirm, this is only a patch to prevent a the malicious code from being able to execute remote code and requires the threat actor being able to add the compromised file to your Orion installation in the first place.

Upgrading or applying the security patch will immediately protect you and then it is advised to review the potential risk for compromise:

• Block all Internet traffic to and from the Orion servers until you have applied the 2020.2.1 HF2, 2019.4 HF6 or Security Patch releases, whichever is appropriate for you
  • The following URL whitelist I am maintaining on the SolarWinds community site Thwack for the benefit of the wider SolarWinds user base
    • SolarWinds Orion URL Whitelist
• Review any DNS lookups and traffic that have been performed to the following domains, as these have been identified as the potential external calls
  • avsvmcloud[.]com
  • zupertech[.]com
  • panhardware[.]com
  • databasegalore[.]com
  • incomeupdate[.]com
  • highdatabase[.]com
  • websitetheme[.]com
  • freescanonline[.]com
  • virtualdataserver[.]com
  • deftsecurity[.]com
  • thedoccloud[.]com
  • digitalcollege[.]org
  • globalnetworkissues[.]com
  • seobundlekit[.]com
  • virtualwebdata[.]com
• Review all changes made to privileged accounts; in your domain and on the local Orion servers
  • If you have the SolarWinds SIEM solution SEM, let us know and we can help getting filters in place to assist identification
• If you have the Orion NCM application within your platform, review recent changes made to network devices
• It is advised to change the passwords used by Orion for polling resources
  • We advise our customers to create a Service Account, which Orion will use to poll servers, so changing this or these if you created multiple within AD and within Orion is recommended
    • Orion Settings > All Settings > Manage Windows Credentials
    • Orion Settings > All Settings > SAM Settings > Credentials Library

Our team are on hand to provide specific guidance should you require any questions answered as they relate to your installation; support@prosperon.co.uk and 01903 340993.

Performing Upgrades

All affected versions of Orion include support for centralised upgrades and therefore installing an updated version that is not affected by this security incident can be performed via the Orion Web UI.

The following resources will aid your upgrade activity, but again please reach out to your Account Manager or our support desk if you have any questions or need any guidance or our resources to upgrade.

Resources:

Core SolarWinds Security Advisory

Further Prosperon Blog Post on incident

FireEye Blog Post

Upgrade Guide

Upgrade Migration Guide

Upgrade made easy (Youtube)