ACSC warns of SolarWinds Orion compromise

By Dylan Bushell-Embling
Thursday, 17 December, 2020

The Australian Cyber Security Centre has issued a threat alert related to a global intrusion campaign as a result of updates to SolarWinds Orion network monitoring and management software.

The attack campaign, first identified by FireEye, involves a backdoor allegedly inserted in the downloads page for SolarWinds' Orion Windows monitoring platform.

According to the FireEye advisory, attackers have gained access to numerous public and private organisations around the world via trojanised updates to the software in a campaign which appears to have begun as early as the northern hemisphere's Spring 2020.

Investigations have discovered the use of a previously unseen memory-only dropper FireEye has named Teardrop to deploy the Cobalt Strike Beacon malware on compromised systems.

SolarWinds has confirmed the company has been made aware of a vulnerability, which the company said it believes is the result of a sophisticated, targeted attack by a nation state. Reports indicate that the attack may have been carried out by the notorious Russian hacking group Cozy Bear.

The ACSC is urging organisations running SolarWinds Orion software to follow the advice of FireEye and SolarWinds, which includes applying a new patch or ensuring Orion servers are isolated by limiting the ports and connections to only what is necessary, and disabling internet access to Orion servers.

In its own advisory, the US Department of Homeland Security has directed US agencies to go further and forensically image system memory and/or host operating systems hosting all instances of the compromised software, analyse stored network traffic for indications of compromise and immediately disconnect or power down all unpatched compromised versions from their network.

Image credit: ©stock.adobe.com/au/monsitj