SolarWinds says a compromise of its widely used Orion network-monitoring platform endangers the networks of public and private organizations that use it and that the problem should be remediated right away.
In a security advisory, SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected in the next day or two.
该公司的托管服务工具似乎是不妥协的,该公司表示不了解其非猎户座产品的任何类似问题,如RMM,N-Central和Solarwinds MSP产品。
FireEye,which discovered the compromise, said it has updated its scanning software to watch for known altered SolarWinds Orion binaries. In addition,Microsoft said its Defender security software has been updatedto detect malicious code and has issued its own security指导along with extensive research of the Trojan causing the problem.
FireEye’s CEO Kevin Mandia wrote in his blog that the attack was likely carried out by a nation. “The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” he wrote. He did not identify the actors, but Reuters said it was the work of Russian hackers.
Orion is part of the SolarWinds suite of network and computer management tools that includes monitoring capabilities and the ability to automatically restart services. The compromise means the attackers can bypass the security, install malicious content and restart infected systems without anyone knowing it.
The company says it has over 300,000 customers, including more than 425 of the U.S. Fortune 500, all of the top telecom, consulting, and accounting firms, the Pentagon, the State Department, the National Security Agency, the Department of Justice, and the White House. The company has 33,000 Orion customers.
Meanwhile, the federal watchdog Cybersecurity and Infrastructure Security Agency (CISA)向联邦机构发出指令calling for them to immediately disconnect or power down Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. Agencies are prohibited from rejoining enterprise domains until CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package.
CISA还订购了往返企业外部的主机的所有流量,其中已安装任何版本的SolarWinds Orion软件。它进一步订购了运行ORION软件的所有非军事政府系统,均停止运行,并在周一中午与网络的其余部分断开受损计算机。那是在修复发出的问题之前。
FireEye and Microsoft have both examined the Trojan and determined that around March of this year someone managed to modify the SolarWinds Orion software during the build process. The modification included a sophisticated Trojan program, designed to remotely control any computer that had SolarWinds Orion installed.
When customers installed the latest Orion update, the Trojan was also installed. This is referred to as a “supply chain attack,” because it came through the trusted SolarWinds supply chain.
According to analysis, the Trojan would wait 12 to 14 days, then communicate with a command-and-control server, where it could install additional software and perform other tasks, including accessing an Active Directory service or monitoring network traffic.