Authorities worldwide caution against use of IT management tool Orion
Global cybersecurity authorities have issued warnings after a supply chain attack on a US software provider was deemed responsible for last week’s FireEye hack.
Cyber threat detection firm FireEye last week revealed it had suffered an attack on its systems resulting in the theft of its red team tools.
The company blamed nation-state hackers for the incident, as the security community was dogged by rumors that Russian cybercrime gang APT29 – or Cozy Bear – was responsible.
APT29 is a hacking group that’s separately been linked to one or more Russian intelligence agencies, specifically the Foreign Intelligence Service (SVR) and Federal Security Service (FSB).
The FireEye incident, which made global headlines last week, has now been established as the result of a supply chain attack spread via a trojan lurking within SolarWinds’ Orion software.
A hotfix has been released, with a further patch expected tomorrow (December 15).
Centralized monitoring and management tool Orion is typically used to track servers, workstations, mobiles, and IoT devices across an enterprise’s network.
In addition to several US government customers and all five branches of the US military, 425 of the US Fortune 500 also used SolarWinds’ services.
Hundreds of colleges and universities worldwide are also counted among the firm’s customers.
Notable SolarWinds clients include several US federal agencies including the Pentagon, NASA, the Department of Justice, and the Office of the President of the United States.
Although there was suggestion that the incident had targeted US federal agencies in particular, multiple government cybersecurity centers from across the globe also took the opportunity to warn their own citizens.
The New Zealand Computer Emergency Response Team (CERT NZ) advised SolarWinds users to apply the hotfix and to “consider isolating these servers immediately… ensuring no internet egress is permitted until the servers can be patched and secured”.
The agency, which also said it has been in discussions with its international partners, also said SolarWinds customers should also change the passwords to any infrastructure accessible by Orion servers as an additional precaution.
The UK’s National Cybersecurity Centre (NCSC) said today (December 14) that it is “working closely” with FireEye and its “international partners” on the incident.
A spokesperson added: “Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact.
“The NCSC recommends that organizations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”
Meanwhile the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive directing all US federal agencies to review their networks for signs of compromise and disconnect all SolarWinds products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA acting director Brandon Wales.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners – in the public and private sectors – to assess their exposure to this compromise and to secure their networks against any exploitation.”
It is believed that the supply chain attack campaign, which is still ongoing, could have begun as early as spring 2020.
Cybersecurity journalist Kim Zetter tweeted: “The hackers did this back in March and their activity was only recently discovered – this means they have been inside gov [government] systems all these months stealing data and spying on gov workers without anyone knowing until now.
“They also infected telecoms and other company networks.”
Experts at FireEye have said that hackers gained access to victims’ networks via a trojan injected into updates to SolarWinds’ Orion IT monitoring and management software.
After compromising SolarWinds’ networks, hackers injected malicious code into the software’s trusted code. This opened a backdoor, alerting perpetrators that they had access.
Following this, the malicious actors were able to gain access to SolarWinds’ clients’ systems and steal data.
The trojanized malware is being tracked by FireEye as ‘Sunburst’. A more detailed report on how the malware operates can be found on FireEye’s blog.