In one of the more audacious and potentially damaging intrusions in recent memory, attackers were able to create a malicious update for the widely deployed SolarWinds Orion enterprise monitoring platform that was then downloaded and installed by an untold number of customers, including government agencies, technology companies, financial firms, and others around the world.
The attack, disclosed Sunday, could have far-reaching effects for enterprises and government agencies alike, as the attackers had high-level access to many of the compromised organizations for several months. In an 8-K filing Monday, SolarWinds said it believes "fewer than 18,000" customers may have installed the malicious update.
“The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye said in its analysis of the attacks.
The first known-malicious update for Orion was deployed in March and the last one was released in June. SolarWinds has released a new update, and the Cybersecurity Infrastructure and Security Agency published an emergency directive requiring federal civilian agencies to take immediate action to disconnect hosts running the compromised software and report any incidents to CISA by noon Monday.
“Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain,” the CISA directive says.
The SolarWinds Orion IT monitoring platform is used widely in enterprise environments and the company’s customer list essentially reads like the Fortune 500. It also lists many federal agencies as customers, including NASA, NSA, the Department of State, and the Office of the President of the United States. How the attackers were able to build a malicious update for Orion and get it hosted on the company’s update server is the big question in this operation, which could have repercussions for months and years to come. In the 8-K filing with the Securities and Exchange Commission Monday, SolarWinds said the vulnerability "was introduced as a result of a compromise of the Orion software build system". Microsoft's analysis reached the same conclusion.
“Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll. This backdoor can be distributed via automatic update platforms or systems in target networks seen globally since March 2020,” an analysis by the Microsoft Security Response Center says.
“Once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose."
“While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code executes. Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected. The attackers have compromised signed libraries that used the target companies’ own digital certificates, attempting to evade application control technologies. Microsoft already removed these certificates from its trusted list.”
This type of supply chain attack is not nearly as common as other forms of attack, mainly because it is quite difficult to accomplish. But when such an operation succeeds, the results can be devastating. The most well-known example is the attack on M.E. Doc, a software firm in Ukraine, in 2017. In that intrusion, the attackers had stolen administrator credentials and were able to load a trojanized update. That incident eventually led to the NotPetya attack that affected a large number of Ukrainian companies. The SolarWinds attack could have much broader effects, given the composition of the company’s customer base and the level of access the attackers had to the compromised organizations. Microsoft’s analysis found that the attackers were able to forge SAML tokens using stolen SAML signing certificates.
“Once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose, then sign it with the certificate that has been acquired. By doing this, they can access any resources configured to trust tokens signed with that SAML token signing certificate. This includes forging a token which claims to represent a highly privileged account in Azure AD,” Microsoft said.
Among the known victims of the intrusion are the Department of the Treasury and the Department of Commerce, and Reuters reported Sunday that the incident caused a meeting of the National Security Council over the weekend. For enterprises running the compromised versions of Orion, the recommendations in the CISA advisory are applicable in most cases. The agency recommends organizations forensically image the memory and OS of affected machines and look for new user or service accounts. Both FireEye and Microsoft have released indicators of compromise for these intrusions.