Why the SolarWinds hack matters

by | Dec 14, 2020 | Cybersecurity, DFIR, Hack, Information Technology, InfoSec, TL;DR;

Maybe you saw the news on the SolarWinds hack. If you didn’t, you should follow me on Twitter: https://twitter.com/TristanDostaler

In this post I want to explain, in a way understandable by everyone, why this hack matters.

What is SolarWinds Orion

SolarWinds is a US based company. They have clients worldwide. One of the products they offer is Orion. This tool does a lot of things, but the main feature that interest us is that it provides the ability to monitor your infrastructure. To do this, you need to install the Orion agent on one of your servers. This agent is installed with high privileges and is able to login on most of your infrastructure to gather metrics like CPU, RAM, etc.

What’s the hack

At the moment I am writing these lines, it is unclear how SolarWinds got hacked. What we know is that it was perpetrated by an APT (Advanced Persistent Threat, a term used to describe high profile malicious hacker groups) probably backed by Russia. In other words, they got hacked by a highly skilled group of hackers with deep pockets.

Once inside SolarWinds network, the APT added a malware inside the Orion software that was then pushed to all the agents world wide. The malware was now alive inside many thousands (an estimate says 18 000+) public and private enterprises in all continents. This is what we call a “supply chain attack“.

SolarWinds provided an update that removes the malware from the code. You should make sure to apply it ASAP if you don’t already have it.

Why it matters

This impressive hack matters because now all companies that uses Orion needs to verify if they received the bad update. And if so, they need to check if the malware was used maliciously in their network.

To phrase it differently, because of a single hack, the malicious actor was able to infiltrate multiple thousands companies. Quite impressive and scary.

The good news

The good news is that at this point this hack was used by the Russian APT only to attack specific targets (like FIreEye). In other words, you probably were affected but the malicious actor probably did not use the malware to attack you (unless you are a high profile target, in which case you’re probably aware of this threat? At least I hope…).

The other good news is that the firm FireEye published IOCs that can be used to verify if the malware was used in your network. The IOCs are available here: https://github.com/fireeye/sunburst_countermeasures

And many threads on Twitter

Feel free to leave your comment down here for any questions or comments.


See more Posts: