SolarWinds Orion Cyber-Attack: Uncovering the 2020 Catastrophic Bug
2020 was a tough year for SolarWinds Orion as a catastrophic bug was found and exploited by a threat actor, with evidence to suggest that the origin of the intrusion happened months before being discovered.
On the 12th of December 2020, FireEye publicly announced and provided detailed information regarding the international attack using SolarWinds Orion updates to send malware across the world. Continents hit by the malware were North America, Europe, Asia, and the Middle East. Within the listed continents, Governments and IT organisations compromised were estimated to be almost up to 18,000 organisations.
Investigations showed that around the spring of 2019, updates being distributed by SolarWinds were turned into malware by hackers using credentials to gain access to SolarWinds software-updating mechanism and also gain visibility to customer networks. The password protecting this system used by the hackers was ‘SolarWinds123’.
American Date Notation (mm/dd/yyyy)
The skilled threat actor was able to then have SolarWinds distribute the altered updates, turning the updates into a trojan. Being dubbed the ‘SUNBURST’ trojan, it remained undetectable for months and by other anti-virus programs as the trojan was verified as a legitimate update by SolarWinds Orion.
After being downloaded by a user, the altered update could now use the backdoor of the system’s program and infect the user’s desktop. It lay dormant for two weeks before executing commands called ‘Jobs’ which include the ability to transfer files, reboot the machine, disable systems, and execute programs. Even with the hidden malware spreading around a user’s machine it lay undetected for months as it blended with SolarWind’s monitoring system, mimicking the anti-virus software.
As investigations continued, the threat actor responsible for hacking into SolarWinds security system was called ‘UNC2452’.
Solarwinds Orion got to work to patch the severe vulnerabilities and sent out the updates as a demo but severe vulnerabilities were still discovered by Martin Rakhmanov, a Security Research Manager from Spiderlabs at TrustWave.
“Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system" - Martin Rakhmanov
The researcher found three vulnerabilities that include executing arbitrary code remotely by exploiting MSMQ (Microsoft Messaging Queuing), decrypting data that contains credentials with admin privileges, and lastly exploiting SolarWinds server by using a compromised admin user to set the home directly to the root system drive which allowed access to read, transfer and replace any file.
Trustwave’s SpiderLabs disclosed the newly discovered vulnerabilities to SolarWinds on the 30th of December, 2020, and by the 25th of January, 2021, the software maker had rolled out patches for all present vulnerabilities.
Your Security is our Priority
Your friendly Support Team
Speak to us about all your computer needs
This is Part of our Cyber Security awareness educational campaign. Through this training, you will learn awareness and key principles, and best practices to protect yourself, your organisation, and the public from cyber attackers. You will also be equipped with the knowledge to identify potential threats and take action before any damage can occur.