H-ISAC Threat Bulletin: SolarWinds Breach
TLP: WHITE — On December 13, 2020, information technology solutions company SolarWinds reported they were breached by Nation State threat actors from Russia. The breach was used to leverage further attacks against several US federal agencies. SolarWinds released a statement that their systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. The US Cybersecurity and Infrastructure Security Agency (CISA) released Emergen
SolarWinds is used by more than 300,000 organizations across the world. Including all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.
Health-ISAC’s Threat Operations Center (TOC) will continue to gather information about this incident as it becomes available. We encourage Health-ISAC members to continue sharing on WeeSecrets and the AMBER mailing list or contact the TOC directly. The TOC will provide updates as more information becomes available.
Analysis:
SolarWinds has released a statement that their systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
SolarWinds.Orion.Core.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
Multiple trojanized updates were digitally signed from March – May 2020 and posted to the SolarWinds updates website, including:
- – hxxps://downloads.solarwinds[.
]com/solarwinds/ CatalogResources/Core/2019.4/ 2019.4.5220.20574/SolarWinds- Core-v2019.4.5220-Hotfix5.msp
The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.
Indicators of Compromise:
Currently known Indicators of Compromise (IOC) have been entered into Health-ISAC’s automated sharing platform for those members ingesting automated threat indicators. Health-ISAC’s Threat Operation Center will continue to monitor the incident, while aggregating and ingesting IOCs made available.
|
|
|
|
Recommendations
|
Sources
|
The attached PowerPoint presentation is also provided to assist with high-level
- Related Resources & News
- Health-ISAC Hacking Healthcare 10-15-2024
- Health-ISAC Welcomes Booz Allen Hamilton to the Ambassador Program
- Health-ISAC Hacking Healthcare 10-9-2024
- Monthly Newsletter – October 2024
- Health ISAC leads effort to transform SBOM information sharing under CISA-facilitated community work
- CyberEdBoard Insights: Phil Englert and Errol Weiss
- Health-ISAC Hacking Healthcare 9-10-2024
- Strengthening Healthcare Cybersecurity: Lessons from Recent Supplier Attacks
- Specialize in Securing Critical Infrastructure
- How AI is transforming cybersecurity, on defense and offense