Last week, the cybersecurity consulting company FireEye announced they had suffered a breach where attackers stole sensitive “red team” hacking tools and potentially information related to certain government customers. FireEye has historically been one of if not the most prominent consultants brought in to investigate attacks against large organizations and government entities. By targeting FireEye, the threat actors potentially had access to sensitive information from the US Government and enterprise giants across all industries. FireEye has still yet to name who they believe is responsible for the breach but many industry experts and sources at the FBI have pointed fingers at the Russian-backed hacking outfit APT29.
On Sunday, FireEye provided an update stating that the campaign started as early as Spring 2020 and included significantly more victims than just themselves. They were able to identify a trojanized SolarWinds Orion update, which they named SUNBURST, as the breach origin. Between March and June of this year (Solarwinds Orion update versions 2019.4 through 2020.2.1), the threat actors inserted malicious code and digitally sign updates to the SolarWinds Orion Platform before posting them to SolarWinds’ official website. The US Cybersecurity and Infrastructure Security Agency (CISA) published a directive soon after FireEye’s update, requiring all federal civilian agencies to review their networks for indicators of compromise (IoCs) and disconnect any running SolarWinds Orion servers.
SolarWinds is urging their customers to update their Orion installations to 2020.2.1 HF 1 as quickly as possible to mitigate the compromised components. Additionally, they plan to release version 2020 2.1 HF 2 on Tuesday which will replace the compromised components and “provide several additional security enhancements.”
Supply chain attacks that target vendors as a way to reach the intended victims have grown increasingly popular in recent years, largely thanks to their ability to stay hidden for a significant amount of time. If you’re a SolarWinds Orion customer, heed their advice and install the updates from the SolarWinds Customer Portal as quickly as possible to mitigate this threat. You can use this link to check what version of the Orion Platform you are running and this link to check which hotfixes you have applied.