SolarWinds Orion Supply Chain Attack


December 15, 2020 12:00 AM

FireEye published their analysis of what turned out to be a global intrusion campaign, a supply chain attack "trojanizing" SolarWinds Orion software updates performed by an advanced and sophisticated threat actor and that distributes a backdoor dubbed SUNBURST.

Read the Complete Alert
 

Radware is following a global ransom DDoS campaign targeting organizations in the finance, travel, and e-commerce verticals. Additionally, multiple internet service providers have been reporting DDoS attacks targetting their dns infrastructure.

The FireEye Hack

FireEye published their analysis of what turned out to be a global intrusion campaign, a supply chain attack "trojanizing" SolarWinds Orion software updates performed by an advanced and sophisticated threat actor and that distributes a backdoor dubbed SUNBURST.

The SolarWinds supply chain attack affects 18,000 organizations across the globe. According to Forbes, SolarWinds is a major contractor for the U.S. government, with regular customers including CISA, U.S. Cyber Command, the Department of Defense, the Federal Bureau of Investigation, the Department of Homeland Security, and many others. The SolarWinds security breach has already been linked to hacks at U.S. security firm FireEye, the U.S. Treasury Department, and the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA).

 

"The SolarWinds Orion platform hack is slowly turning out to be one of the most significant hacks in recent years.”

ZDNet

 

What Is A Supply Chain Attack?

A supply chain attack is a cyberattack that seeks to damage an organization by targeting less secured elements in the supply network. In 2013, Target, a US retailer, was hit by a data breach that saw 40 million customer credit and debit card information leaked when malware was introduced into their point of sale system in over 1,800 stores. It is believed, although not officially confirmed, that cybercriminals infiltrated into Target’s network using credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems.

During the spring of 2017, a Ukrainian accounting software firm had its servers seized by the Ukrainian police. The firm was unwittingly helping to spread the notorious NotPetya malware via a malicious update to its accounting software, M.E.Doc. Hackers seemed to have breached the company’s computer systems and compromised the software update.

"Trojanized Orion"

On Sunday, SolarWinds published a press release admitting to a breach by a sophisticated actor who found a way to inject malicious code in SolarWinds’ Orion IT monitoring and management software. The malicious code got distributed to many government and high-profile organizations through SolarWinds’ website as part of software update packages. The digitally signed SolarWindows.Orion.Core.BusinessLayer.dll plugin module contained backdoor code hiding in plain sight by using fake variable names and tying into legitimate components and gets loaded and invoked by the Orion software framework. The malicious plugin module is tracked as SUNBURST by FireEye and Solorigate by Microsoft.

 

Continue Reading...

Click here to read the full ERT Threat Alert.

Read the full threat alert now

 
 

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
DDoSWarriors