Over the weekend it was revealed that nation-state hackers had breached Solarwinds (a provider of remote patching and management tools amongst other things). This breach had added malicious code to the SolarWinds Orion Platform. This code was pushed to approximately 18k customers via the auto-update mechanism installing a backdoor on to systems since March (2020). It is highly likely that a Russian APT group is responsible for the attack.
By its nature, SolarWinds is a trusted provider to many IT teams and managed service providers and this type of supply chain attack are rare. But as this software runs with full administrator privilege and is a prize target for many attackers.
This breach highlights the need to understand your supply chain and how it can affect the security of your network and business. Also how effective segmentation, monitoring and alerting can help identify attacks especially of this kind. These days it is not a matter of if but when, business’s need to be ready with a well-practised incident plan.
In the mean time Microsoft have taken action
“It is important to understand that these binaries represent a significant threat to customer environments. Customers should consider any device with the binary as compromised and should already be investigating devices with this alert. Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running.”
FireEye warns, though, that threat actors who actively compromised victims likely added other persistence methods.
Links to more information
Stay safe, be well and make sure to wash your hands.