FireEye published their analysis of what turned out to be a global intrusion campaign, a supply chain attack "trojanizing" SolarWinds Orion software updates performed by an advanced and sophisticated threat actor and that distributes a backdoor dubbed SUNBURST.
Read the Complete Alert
The FireEye Hack
FireEye published their analysis of what turned out to be a global intrusion campaign, a supply chain attack "trojanizing" SolarWinds Orion software updates performed by an advanced and sophisticated threat actor and that distributes a backdoor dubbed SUNBURST.
The SolarWinds supply chain attack affects 18,000 organizations across the globe. According to Forbes, SolarWinds is a major contractor for the U.S. government, with regular customers including CISA, U.S. Cyber Command, the Department of Defense, the Federal Bureau of Investigation, the Department of Homeland Security, and many others. The SolarWinds security breach has already been linked to hacks at U.S. security firm FireEye, the U.S. Treasury Department, and the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA).
"The SolarWinds Orion platform hack is slowly turning out to be one of the most significant hacks in recent years.”
- ZDNet
What Is A Supply Chain Attack?
A supply chain attack is a cyberattack that seeks to damage an organization by targeting less secured elements in the supply network. In 2013, Target, a US retailer, was hit by a data breach that saw 40 million customer credit and debit card information leaked when malware was introduced into their point of sale system in over 1,800 stores. It is believed, although not officially confirmed, that cybercriminals infiltrated into Target’s network using credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems.
During the spring of 2017, a Ukrainian accounting software firm had its servers seized by the Ukrainian police. The firm was unwittingly helping to spread the notorious NotPetya malware via a malicious update to its accounting software, M.E.Doc. Hackers seemed to have breached the company’s computer systems and compromised the software update.
"Trojanized Orion"
On Sunday, SolarWinds published a press release admitting to a breach by a sophisticated actor who found a way to inject malicious code in SolarWinds’ Orion IT monitoring and management software. The malicious code got distributed to many government and high-profile organizations through SolarWinds’ website as part of software update packages. The digitally signed SolarWindows.Orion.Core.BusinessLayer.dll plugin module contained backdoor code hiding in plain sight by using fake variable names and tying into legitimate components and gets loaded and invoked by the Orion software framework. The malicious plugin module is tracked as SUNBURST by FireEye and Solorigate by Microsoft.