CASE: SOLARWINDS ORION

Written on 28 Jan 2022 by Gerard Janssen, and updated on 13 Dec 2024 by Serena de Pater

The case

On December 8, 2020, FireEye announced that the company had fallen victim to a hack. FireEye is a privately held cybersecurity company headquartered in Milpitas, California. The company provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

The exploit

The attackers took advantage of a backdoor in Orion, a software package from the company Solarwinds. SolarWinds’ Orion system provides centralized monitoring across an organization’s entire IT stack.

The Impact

A few days later, it turned out that not only FireEye had been hit by the attack. The attack had been going on for months and had hit many other major companies, including Microsoft, Cisco, Intel, Nvidia, VMware, Deloitte, Malwarebytes, and various US government agencies.

According to a statement by SolarWinds, the hackers already gained access to SolarWinds’ software development system in October 2019. They inserted a vulnerability in Orion software updates, dubbed SUNBURST, which was installed by customers in the spring of 2020. SolarWinds said it notified 33,000 customers, among them US government agencies, major private corporations, and Fortune 500 businesses.

By analyzing the attack, security researchers from Symantec, Palo Alto Networks and Guidepoint found another backdoor, likely coming from a different threat actor (CVE-2020-10148), this vulnerability was also used by attackers to deliver malware and was called ‘Supernova’.

What we did

DIVD scanned for Supernova and found around 700 vulnerable Solarwinds Orion systems facing the internet, worldwide, including systems of foreign defence units and satellite communication. Eight of these systems used IP addresses from the Netherlands. DIVD sent out the first notifications on the 30th of December 2020.

What you can do

Deploy the hotfix that is available for your Orion version. Don’t expose the management interface to the public internet.

More information

• DIVD-2020-00014 - SolarWinds Orion
• Security Week 28-12-2020
• Solarwinds: Security Advisory
• FireEye blog
• Symantec blog
• CVE-2020-10148