SolarWinds Supply-Chain Attack / SUNBURST Malware
Security Bulletin:
AUSTIN, Texas — December 14, 2020 — SolarWinds®, a leading provider of IT management software, has announced the company was the subject of a highly sophisticated cyber-attack.
The cyber-attack was a supply-chain based attack, in which an adversary leveraged SolarWinds Orion’s software update mechanism to deploy malware. The attack has been linked to the compromises of the U.S. Department of the Treasury and FireEye®.
FireEye stated the cyber-attack campaign involved a component of the SolarWinds Orion® Platform, which is used by government agencies and private organizations to monitor and manage IT infrastructure. FireEye has given the campaign an identifier of UNC2452 and named the malware SUNBURST.
Microsoft® has used the “Solarigate” identifier for the malware and added detection rules to its Microsoft Defender® anti-malware product.
SolarWinds Products Affected
SolarWinds has confirmed the malware was inserted into the SolarWinds Orion platform in build versions 2019.4 HF 5, 2020.2, and 2020.2 HF 1, with products including:
- SolarWinds Application Centric Monitor (ACM)
- SolarWinds Database Performance Analyzer Integration Module* (DPAIM*)
- SolarWinds Enterprise Operations Console (EOC)
- SolarWinds High Availability (HA)
- SolarWinds IP Address Manager (IPAM)
- SolarWinds Log Analyzer (LA)
- SolarWinds Network Automation Manager (NAM)
- SolarWinds Network Configuration Manager (NCM)
- SolarWinds Network Operations Manager (NOM)
- SolarWinds Network Performance Monitor (NPM)
- SolarWinds NetFlow Traffic Analyzer (NTA)
- SolarWinds Server & Application Monitor (SAM)
- SolarWinds Server Configuration Monitor (SCM)
- SolarWinds Storage Resource Monitor (SRM)
- SolarWinds User Device Tracker (UDT)
- SolarWinds Virtualization Manager (VMAN)
- SolarWinds VoIP & Network Quality Manager (VNQM)
- SolarWinds Web Performance Monitor (WPM)
NOTE: DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which was not affected.
SolarWinds Customers Impacted
SolarWinds has identified updates released between March and June 2020 and indicated that about 18,000 of more than 300,000 SolarWinds Orion customers may have been impacted by the update.
SUNBURST Malware
The SUNBURST malware was deployed as part of an update from SolarWinds’ update servers and was digitally signed by a valid digital certificate. The certificate was issued by Symantec® with serial number 0fe973752022a606adf2a36e345dc0ed.
The malware may provide an attacker with unauthorized access to privileged user accounts.
Recommendations for Detection
Adeptec recommends that SolarWinds customers affected by the SUNBURST malware should search for evidence of exploitation in their network environment, as antivirus products may not be aware of the attack.
NOTE: This is an important step because SolarWinds Orion is exempted from antivirus scans as recommended by the software manufacturer.
Detection Actions
1. Search For Evidence of Compromise
A. Malware File
Systems and security administrators should search for the existence of the compromised file on the SolarWinds Orion application server.
File Name:
SolarWinds.Orion.Core.BusinessLayer.dll
Malware File Hash (SHA256):
`32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77`,
`ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6`,
`019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134`,
`dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b`,
`eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed`,
`c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77`,
`ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c`,
`a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc`,
`d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af`,
`c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71`
Malware File Hash (MD5):
`2c4a910a1299cdae2a4e55988a2f102e`,
`846e27a652a5e1bfbd0ddd38a16dc865`,
`b91ce2fa41029f6955bff20079468448`
B. Malware Process
Systems and Security administrators should search for the existence of the running process on the SolarWinds Orion application server.
Process Name:
SolarWinds.BusinessLayerHost.exe
The SolarWinds.Orion.Core.BusinessLayer.dll file is used a backdoor; which then installed a Windows service to execute malicious code. The Windows service runs as a process under the process name of SolarWinds.BusinessLayerHost.exe.
C. LDAP Directory Services
Systems and Security administrators should perform a thorough audit of LDAP directory services (e.g. Microsoft Active Directory, OpenLDAP, etc.). Specifically, a review of new user accounts, external DNS requests, and other measures that may indicate a breach in security.
Recommendations for Remediation
Adeptec recommends that SolarWinds customers affected by the SUNBURST malware should take actions to remediate the potential security risk.
Remediation Actions
1. Remove Security Threat
A. Disable / block access to the Internet from the SolarWinds Orion application server.
B. Change database, system, and network credentials used by SolarWinds Orion.
C. Backup the following directories for Adeptec’s product add-ons.
- C:\inetpub\Adeptec\
- C:\Users\Public\Pictures\NetworkAtlas Backgrounds\Network Maps\
- C:\Program Files (x86)\SolarWinds\Orion\Network Atlas\MapsWeb\NetObjects\Network Maps\
- C:\Program Files (x86)\SolarWinds\Orion\Network Atlas\Maps\NetObjects\Network Maps\
D. Deactivate all product licenses in the SolarWinds Orion Web Console.
E. Confirm that product licenses have been deactivated in the SolarWinds Customer Portal.
F. Document the Microsoft Windows Server Computer name/Full computer name (e.g. OrionServer) in System Information.
G. Disjoin the Microsoft Windows Server from the Microsoft Windows Active Directory Service domain.
H. Shutdown the Microsoft Windows Server.
2. Harden System Security
A. Install a new copy of Microsoft Windows Server on the SolarWinds Orion Application Server.
B. Rename the new installation of Microsoft Windows Server with the previous name (e.g. OrionServer).
C. Rejoin the Microsoft Windows Server to the Microsoft Windows Active Directory Service domain.
D. Secure Microsoft Windows Server in accordance with best practices provided by NIST, Microsoft, SANS Institute, and SolarWinds.
E. Deploy a new installation of the SolarWinds Orion 2020.2 HF2 software.
F. Run the SolarWinds Configuration Wizard to connect the installation to the SolarWindsOrion database.
G. Review security best practices to ensure compliance with security standards.
Additional Recommendations
Adeptec recommends that SolarWinds customers affected by the SUNBURST malware should assume the SolarWinds Orion application server has been compromised.
Adeptec is committed to our clients and we recognize the unprecedented nature of the SolarWinds Supply-Chain Attack. To that end, we will provide advisory services to our clients at no cost for the process of detection and remediation.