This week SolarWinds announced that they were breached earlier this year and the attackers were able to place malicious code within their build systems for their Orion product. This malicious code was subsequently; compiled, tested, signed, and delivered to SolarWinds customers in March 2020. The last week has been very interesting as a supply chain breach of this magnitude has only been theorized and discussed in security tabletop exercises. After the SolarWinds breach announcement we have been working with several Ordr customers and partners in order to facilitate both detection of malicious activity associated with this breach and for some customers facilitate the detection of these SolarWinds devices on the network so that they could be taken down.
Currently, Ordr has the ability to detect the command and control (C2) servers utilized in the Domain Generation Algorithm (DGA) of this SolarWinds malware through our malicious communication detection service. Ordr monitors all device communications within the network and if we see a connection or DNS lookup to one of the malicious domains associated with this malware (*.avsvmcloud.com - as part of the countermeasures by FireEye: https://github.com/fireeye/red_team_tool_countermeasures) we will alert the Ordr SCE operators.
Additionally, we have deployed several detection signatures to our deep packet inspection (DPI) intrusion detection system (IDS) that looks for both the malicious communications associated with this SolarWinds malware and the lateral movement techniques that FireEye and Microsoft discovered when researching the threat actors utilizing the SolarWinds malware.
Of course, since Ordr has the capability to detect and classify all systems on the network we are able to detect any SolarWinds systems that exist at any time on the network.
SolarWinds has provided a hotfix (2020.2 HF 1) and is providing an additional hotfix (2020.2 HF 2) today to all of their customers. We urge all SolarWinds customers to apply these patches to their systems and to aggressively monitor the SolarWinds servers for any anomalies.
Additionally, we are urging anyone that utilizes SolarWinds Orion to change any authentication credentials that were stored inside the Orion system and to consider all authentication credentials compromised if they were stored inside the Orion system within the last 10 months.