FireEye Identifies SolarWinds Malware security breach, solar winds orion hack

FireEye describes the SolarWinds malware killing switch as victims who are scratched to react

The National Security Council of the White House provides a united group to coordinate federal threat response around the country.

A FireEye that an unknown intruder could spread malware to potentially a thousand organizations last Saturday announced a compromise to SolarWinds networking software vendors that it claimed could prevent malware from running on compromised networks. FireEye has found a killing switch.

The killswitch would not however, delete the danger from victims' networks, according to the security provider, if the attackers have already introduced additional persistence mechanisms.

FireEye said on Sunday that an investigation into a network breach last week revealed a danger player, widely spread in legit updates in SolarWind's Orion network management technology a backdoor dubbed SUNBURST.

SUNBURST (solarWinds.Orion.Core.BusinessLayer dot dll) is sort of first-stage checkpoint that attackers used to lower additional payloads on compromised networks, explicit FireEye. The robustness, nature and precise performance of the attack had all the characteristics of a nation-state funded actor, the vendor said. Currently, FireEye monitors the UNC2452 threat actor, but says it has failed to figure out whether and under which name it could work.

The perpetrator of the attack was Russia, as did some intelligence analysts and members of Congress who had been briefed in the class.


IoC and other data have been released by FireEye to help businesses identify and mitigate the menace. SolarWinds published updates — including a hotfix today — to resolve the problem in all its technology versions. Since the breach was revealed, the malicious DLL that FireEye found was used to spread SUNBURST was also added to Microsoft and several other suppliers of malware detection software.

An successful killing turn in some circumstances

On Monday, FireEye Speaker reported that the company's SUNBURST research showed that malware could not work properly. "Depending on the IP address returned when the malware resolves avsvmcloud dot com under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections,"

Accordering to FireEye, the killswitch is successful against new and previous SUNBURST deployments, which could still be fired on the malware command and control server location, avsvmcloud dot com. "However in the intrusions FireEye has seen this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."

The killswitch will not boot the actor threatening an infected network in these circumstances. But they could find it harder to use SUNBURST versions already distributed, FireEye said.

The killswitch is being stated with great concern over the possible scale and impacts of SolarWinds intrusion discovered by FireEye when last week it investigated the failure of its own network.

President's Obama Age Order

On Monday, a United Coordination Group (UCG) was formed for the purpose of ensuring the federal threat response, as stipulated in PPD-41 of an Obama era Directive, by the White house National Security Council (NSC) on Thursday. The PPD-41 mechanism, "facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate, and respond to this incident," said the NSC. Earlier on Monday a rare emergency directive was issued by the DHS' Cybersecurity and Infrastructure Protection Agency (CISA) which directed all Federal civil agencies to immediately power out and disconnect instances of Solar Winds Orion, the malware network management product used by the attacker.

The future extent and consequence of the violation has to do with many of the concerns. In addition to thousands of managed services, SolarWinds provides network management technology for the majority of federal agencies, all five military branches and virtually all Fortune 500 firms.

The network management platform of Orion provides SolarWinds with deep access to some of the world's largest and most sensitive networks. Many suspect that the attackers have been able to get what some call "God-mode access" access over the affected networks by poisoning legitimate Orion updates with the SUNBURST malware. The federal agencies like the US Treasury, Homeland Security, the Department of Justice and the Department of State are thought to have been affected by this violation.

Huntress Labs scientists, who validated a zero-day exploitation earlier this year involving a different SolarWind technology, called N-Central on Thursday, have announced that they have compiled a list of more than 4,000 DLL-linked domains and subdomaines. The backdoor DLL was found in 500,000 systems, but only in the Orion product, by Huntress Labs' review of the available data.

According to the manufacturer, the malicious DLL can be installed on a computer file system in three separate programs and in 12 different locations. The salesperson emphasized that the DLL's existence alone did not demonstrate a compromise.

Vulnerabilities for SolarWind

SolarWinds has not yet revealed that the intruder has obtained sufficient access on their networks to include malware in the legitimate software updates of the business. The company noted that preliminary studies indicate a compromise in the construction method of SolarWinds.

Data from the MITRE CVE vulnerability database indicate that this year alone 23 vulnerabilities have been found by researchers with respect to SolarWinds technologies. Many – including six revealed in August – were located in N-Central, a distance surveillance technology by SolarWinds.

Incidents like this highlight the value of good risk management practice for the vendor security, Daniel Trauner, Axonius' director of security. Organizations should consider public examples of security vendor questionnaires such as Google's VSAQ in order to get an understanding of what to concentrate on he said.

At the same time the amount of vetting that one can do is minimal, he said.

"There are typically realistic limitations for this model even though larger, more matured companies have structured processes of change control designed to mitigate the risk of changing existing accesses or systems. The main emphasis will be on a subset of critical systems and such evolving elements such as highlighting any privileged access updates, or checking system reliability after a patch has been applied.

"Unfortunately, there are likely no reasonable routine checks that would have been part of a change management process that would have caught this backdoored SolarWinds update," he says.

SolarWinds has punctuated US federal agencies' dangerous exposures to supply chain risks, says Jacob Olcott, BitSight's vice president of marketing and public relations.

He says government agencies rely on a broad supply chain of third parties with little visibility in the safe role of vital providers. Current approaches do not address risk sufficiently and major improvements are required to the thinking and technical approach to the security of the supply chain.

"For the last five years, adversaries have been able to access valuable personal information, sensitive intellectual property, trade secrets, and other critical national security information by penetrating the government's supply chain,"

"It must integrate cybersecurity into all contracts, placing requirements on contractors to meet certain cybersecurity standards."

Cybersecurity firm FireEye is down more than 12 percent today after it announced a hack of its data and tools. David Kennedy, TrustedSec founder and CEO and former NSA and Marine Corps Hacker, joins 'Power Lunch' to discuss the hack and what is known so far.