On December 13, 2020, The Washington Post reported that the substantial FireEye and SolarWinds breach was perpetrated by Russian-baked hackers of Fortune 500 companies and several branches of the US Government, including the U.S. Treasury Department. Sensitive data belonging to as many as 18,000 companies were victims of the same backdoor software that compromised U.S. government agencies.
The breach was traced back to SolarWinds Orion IT monitoring software that was compromised by a Trojan malware program, compromising thousands of client networks. The Orion software framework contains a backdoor that communicates via HTTP to third party servers, giving the hackers access through that backdoor to those servers. We are tracking the Trojan malware of this SolarWinds Orion plug-in as SUNBURST.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masks its network traffic as the Orion Improvement Program (OIP) protocol and stores its results within legitimate plugin configuration files, allowing it to "blend in" with legitimate SolarWinds activity, causing the attack to be very hard to find until a lot of time has passed.
Multiple updates were digitally signed from March-May 2020 and posted to the SolarWinds updates website.
The Trojan malware update file is a standard Windows Update Installer Patch file that includes compressed resources associated with the update, along with the Trojan malware SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious file will be loaded onto the device, as it's disguised as part of the software. After a dormant period of up to two weeks, the malware will start its data collection.
The backdoor was tied to and resolved a subdomain of avsvmcloud[.]com. The unprecedented cooperation between Microsoft, FireEye, and GoDaddy, where that domain was registered, to take control of the call home site brought this exploit to its knees.
However, this exploit has been out for a while before it was identified by FireEye. Now even without the ongoing exploit the treasure trove of data, usernames, passwords, and other sensitive information.
As a society that is dependent on the secure transfer, storage, and deployment of digital media we must take extra precautions to keep this valuable information safe as a whole. Although, this doesn't mean SolarWinds was doing their best job. A security researcher warned the company in 2019 about a hard-coded password protecting the now-breached server, which was "solarwinds123". But rather than focusing on the failure, we all need to take this as a teachable moment and make sure that we are doing all we can to protect our data.
We all need to ask the question, “What happens when my MSP, security vendor or any tech vendor is compromised?” The Solarwinds hack is one of many, so as a business owner, you should analyze every one of your vendors that can push updates to your network and ask if everything is in place that can be done to protect you. This requires a layered security approach, which multiple layers of protection, not just one piece. No single tool can be relied on to never fail, which is why multiple tools working together are your best bet for keeping your company's and your client's data safe.
Another question to ask is "what's my backup plan when this fails?" If it does fail, are you able to spin up another safe environment to keep your company running during this time? Time is money, and every minute you are down you are losing time, and in turn, money.
Breaches are going to happen. If they’re something your organization needs to be resilient against, then it’s best to be prepared for them.
Fortunately for Micro Doctor IT and our clients, we do not use the Solarwind Orion products. We feel our new Security Shield which includes a 24/7 SOC (Security Operations Center) would have protected our clients just like FireEye caught the trojan this time. We are actively scanning thousands of endpoints for anything with the name Solarwinds in it as a precaution.
Just like Microsoft, FireEye and Google worked together, our partners have also worked together anytime we were contacted to remediate a data breach or ransomware attack.
The bottom line is we stand behind our security and provide world-class products and services to serve our local and global communities. In this year of seemingly relentless attacks and global pandemic, Micro Doctor IT remains steadfast in its abilities, tradition, and compassion to our industry and others.
The article was written by Mark Richmond, President/Chief Security Officer at Micro Doctor IT & Megan Augustine, Marketing Manager, Micro Doctor IT