This article follows our previous article on the Solarwinds cyber incident.
Solarwinds and the wider infosec community have recently become aware of a critical vulnerability in a Solarwinds software program. Details about the incident are rapidly evolving, however preliminary investigations reveal a sophisticated state sponsored threat actor group likely inserted the vulnerability (malicious code) into legitimate software to gain access to target organisations' systems.
Solarwinds is a managed services provider which provides software products to private and Government organisations globally.
Among other programs, Solarwinds provides a software product referred to as Orion. Orion allows IT teams to centralise the monitoring of devices on an internal network, to ensure that devices are connecting to the network correctly and do not exhibit signs of suspicious activity. Orion also allows organisations to roll out updates to devices uniformly.
A threat actor group installed malicious code in a legitimate update to Solarwinds’ Orion software.
The malicious code gave the threat actor group remote access to networks of organisations which installed an update to the Orion program between March and June 2020 (effectively, a “back door” into a network). The malware is designed to hide its activity as legitimate network traffic.
After lying dormant for a period of approximately 2 weeks, the malicious code executes commands which are capable of transferring files, starting programs, profiling an organisation’s system, disabling system services and rebooting machines.
While the scope of the compromise is not yet known, organisations which use Solarwinds' software products, specifically the Orion software product, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 should:
IT teams should also check their Document Link Libraries (DLLs) for the Solarwinds Orion product to check if it matches any of the file hashes listed here: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv.
Organisations which suspect they have been compromised as part of the incident also need to consider the residual privacy implications of the Orion compromise – i.e. you will need to conduct an assessment into whether the incident amounts to an 'eligible data breach' under the Privacy Act in Australia, and other data protection laws around the world if applicable.
Affected organisations and Government agencies should continue to monitor the advisories for further details on how to respond.
We commend the ACSC, DPC VIC and wider infosec community for leading the national/whole of Government response to this incident and for providing real time updates on the impact to Government agencies and the private sector.
The following sources provide additional information which may help you identify indicators of compromise in your environment:
Clyde & Co has the largest cyber incident response practice in Australia and New Zealand and works with our global offices to provide a full incident response service.
Our specialist team have dealt with a number of the largest and most complex incidents in Asia Pacific region to date. This includes advising on 1,000+ data breach, ransomware and cyber related incidents impacting a wide range of industries.
Our team provides expert advice on how to identify compliance risks, navigate the crisis response and respond to data protection issues across the full cyber incident lifecycle. This includes advising on:
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on: