Update Advisory for APT Attacks on the SolarWinds Products

Risk:
high
Damage:
high
Platform(s):
Solarwinds Orion Products
Advisory ID:
ngCERT-2020-0028
Version:
N/A
CVE:
N/A
Published:
January 4, 2021

Summary


After conducting investigations into the Advanced Persistent Threat Compromise of Government Critical National Infrastructure, and Private Sector Organizations Infrastructures, SolarWinds have released an updated advisory for the Sunburst and the SuperNova backdoor that was discovered while investigating the recent SolarWinds Orion supply-chain attack. It was discovered that the SuperNova backdoor was likely used by a separate threat actor. Several teams of researchers have mentioned the existence of two second-stage payloads after the initial disclosure of the SolarWinds attacks.

Description & Consequence


SUPERNOVA Malware

SUPERNOVA is not malicious code embedded within the builds of the Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product. The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.

SUNBURST Malware

SolarWinds was the victim of a cyberattack to systems that inserted a vulnerability (SUNBURST) within the Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention.

Successful exploitations and attacks will allow the attackers to:

  • Monitor traffic on major organization’s network systems;
  • Compromise organization’s information systems;
  • Gain access to network traffic management systems and
  • Disconnect affected devices.

Solution


  1. SolarWinds asks ALL ORION PLATFORM CUSTOMERS to update their Orion Platform software as soon as possible to help ensure the security of your environment by visiting https://support.solarwinds.com/
  2. If you’re unable to upgrade at this time, they provided a script that customers can install to temporarily protect their environment against the SUPERNOVA malware. The script is available at https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip.
  3. It is recommended that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible. These updates contain security enhancements including those designed to protect you from SUNBURST and SUPERNOVA.
  1. The latest updates designed to protect against SUNBURST and SUPERNOVA are as follows:
  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)
  • Visit https://www.solarwinds.com/securityadvisory for direct links on hotfixes to the vulnerabilities.
  1. Report all incident to ngCERT (https://cert.gov.ng) for support and technical advice.

Reference


Revision


Related Articles