One of the first things that happened when the SolarWinds breach was disclosed in mid-December is that enterprises began taking their Orion servers offline. This was predictable. But what wasn’t expected is that more Orion servers would be online now than before the disclosure.
Data compiled by Censys, a firm that continuously monitors the Internet, shows that on Dec. 15, two days the breach was made public, there were about 1,400 Orion servers exposed to the Internet. That number began to drop steadily a few days later and hit a low of about 1,220 on Dec. 28., but as the new year approached, the numbers began to rise quickly. By Monday, there were 1,551 Orion servers online, 10 percent more than there had been at the time of the breach disclosure.
That’s concerning for several reasons, not the least of which is the fact that Orion is an internal IT monitoring tool that’s not necessarily meant to be exposed to the Internet. The reason for the uptick in Orion servers online is not immediately obvious, but Censys researchers hypothesized that it could be the result of simple operator error.
“If we look at all of 2020 we could think that maybe there were fewer servers online before COVID, and once that happened people needed remote access, so they put it online. But after the breach, we would’ve expected it to return to the pre-breach baseline, not to shoot up past it,” said Derek Abdine, CTO of Censys.
“This could just be misconfigurations, people taking the servers offline, patching them, maybe changing the port, and then putting them back up.”
“That lends more credence to the idea that these are probably misconfigurations."
Interestingly, Abdine said the data shows a broad distribution of ports on which Orion is running, showing that enterprises may be trying to use non-standard ports as a small bit of camouflage. Censys’s data showed 62 individual ports hosting Orion instances on Monday.
“That lends more credence to the idea that these are probably misconfigurations,” Abdine said.
SolarWinds has tens of thousands of customers, and the company said after the breach that around 18,000 of them had downloaded a malicious update for Orion that was created by attackers who had compromised the company’s internal systems. That update contained a backdoor that enabled the attackers to gain access to customers’ networks, as well. On Tuesday, several federal government agencies, including the FBI and CISA, said that the adversary behind this operation was “likely Russian in origin”. The agencies have formed a task force known as the Cyber Unified Coordination Group, which is handling the response and remediation of the attacks for government agencies.
“The UCG believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the statement says.
On Wednesday, the Department of Justice released a statement saying that it was among the federal agencies involved in the SolarWinds compromise. Other known government victims include the Department of the Treasury and the Department of Commerce. The Justice statement said it detected malicious activity related to the SolarWinds update on Dec. 24.
“This activity involved access to the Department’s Microsoft O365 email environment. After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” the statement says.