On the 13th of December, the cybersecurity firm FireEye released a threat analysis on a piece of malware that was released alongside SolarWinds' Orion platform. Orion is a piece of software that runs on your orgainzation's servers that monitors systems, apps, and whatever else you wanted to monitor at scale. This software was widely used, with thousands of customers worldwide, including the United States government. This is why the hack is worrying: the scale is astounding. The failure of SolarWinds to find this and prevent it from happening is what is the worst.

"The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications." claims FireEye, a leading cybersecurity company. FireEye was also affected by the SolarWinds hack, and they were the first to discover it on their own systems.

This type of attack is a "supply chain" attack, where the attacker targets a weak link in the deployment / development of a program. In this attack, the hackers discovered a way to gain access to the version control system that SolarWinds was using and injected their code there, where it was likely not to raise any concerns. Ironically, Greg W. Stuart from SolarWinds claimed that open source software carries more security risks. This attack would have not happened if this software were open source. Reviewers would have caught this problem before it got deployed to thousands of machines.

Similarly, we at Murillo prefer open-source software because it ensures that security holes are patched as fast as possible, and we will have an army of reviewers who will prevent issues like this from happening again.

Sources:

https://thwack.solarwinds.com/t5/Geek-Speak-Blogs/The-Pros-and-Cons-of-Open-source-Tools/ba-p/478665

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Previous Post Next Post