A massive hack by unknown assailants has targeted the Orion software used by network management company Solarwinds, and has been wreaking havoc on the systems of various institutions.
Experts are calling it Sunburst – a backdoor exploit that has affected reportedly up to 18,000 customer accounts, including systems at the U.S. Treasury and Department of Commerce.
There’s no comment from Solarwinds top brass on what went on from March to June of this year, as the coronavirus was ramping up and Sunburst was targeting commercial and government systems. But a writeup by FireEye, noted in coverage at Krebs on Security, provides details on how the malware works:
“The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component,” analysts write. “(After) the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe … After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications.”
FireEye writers also provide more detail on the scale of the digital invasion:
“FireEye has detected this activity at multiple entities worldwide,” notes the report.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”
Solarwinds’ stock price has responded by cratering; in just the last week, share prices have dropped from an all-time high around $23.50 to about $18 a piece.
Is the hack a gift from Russia?
“The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR,” write Washington Post reporters, while noting that officials at the Russian embassy in Washington have denied Russian government involvement.
Look out for more fallout in an intensely nationalized and widespread hack that is roiling the cybersecurity community.
