SolarWinds Hack: Everything you need to know

SolarWinds is the subject of a massive cybersecurity attack that spread to the company’s clients. Not a single company but series of companies were breached through this major event termed as SolarWinds hack which affected not just US government and its agencies but also the thousands of organizations. It has emerged as one of the biggest ever targeted attack against the super power.

FireEye, the US Cyber security firm which helps with the security management of several big private companies and federal government agencies, initially discovered it on December 8, 2020 and called it a state sponsored attack. According to it, this particular cyber attack is a part of a campaign named UNC2452 targeting a range of public and private firms. This campaign has started from March 2020 and is ongoing for months. Also, the extent of data stolen and compromised though it is still unknown. It added that the methods used for this purpose were novel and the attack was carried out by a nation “with top-tier offensive capabilities”, plus “the attacker primarily sought information related to certain government customers.”

What is SolarWinds?

SolarWinds is a big software company located in Tulsa, Oklahoma, which provides network and infrastructure monitoring tools as well as other technical services to hundreds of thousands of companies across the world. Orion, an IT performance monitoring solution, is one of the company's offerings.

What is SolarWinds Hack?

SolarWinds attack is primarily called a ‘Supply Chain’ attack, which means the breach was achieved by targeting a third-party vendor which supplies software to the companies instead of directly targeting the latter. Here, ‘Orion’ software was targeted which is supplied by the Texas-based company SolarWinds. Its immense number of clients over 36,000 firms calls out as one of the major reasons of targeting it. Stated by SolarWinds nearly 18,000 of its clients have been impacted including 425 companies in Fortune 500, and the top 10 US telecom operators. While other impacted bodies include the Pentagon, Centers for Disease Control and Prevention, the State Department, the Justice Department, and others.

How this happens?

Basically, these attacks were successful by means of trojanized updates i.e. the technocrats gained access to victims through trojanized updates to SolarWind’s Orion IT monitoring and management software. After an update, the ‘Sunburst’ malware gets installed into Orion. Post installation, the Sunburst gave a secret backdoor entry to technocrats to the systems as well as the networks of the SolarWind’s customers. Sunburst is capable of accessing system files and even thwarting tools like anti-virus. This update was accepted by 17,000+ firms which consequently and unknowingly installed this terrible malware. Also the attackers followed a range of techniques to reduce the chances of being detected.

Naming the attack: What is Solorigate, Sunburst and Nobelium?

The different names associated with SolarWinds attack are- Sunburst: Its name of actual malicious code injection and both SolarWinds and CrowdStrike refers to the attack as Sunburst. Solorigate: Initially dubbed by Microsoft to the threat actor group behind attack. Nobelium: As the group being active against multiple victims and using multiple malwares than just Sunburst, Microsoft named it as Nobelium.

How to Check If You’re Affected by the SolarWinds Data Breach

Here are signs that you should be on high alert and take quick security measures to safeguard your network.

YOU’VE SEEN TRAFFIC TO THIS DOMAIN

If you have Orion installed, promptly update to the recommended version from SolarWinds. Also trigger the check for any evidence of a breach and confirm from your IT vendor of being aloof of the breach. “avsvmcloud[.]com” is the domain used to communicate between set-ups hacked by Sunburst. Thus on glimpse of such domain immediately check firewalls and set-up logs for presence of any systems in your network communication with this domain. Moreover, if you run a defense, government contracting, manufacturing, and technology firms then you need to be further more careful and make sure that you are not being targeted or affected.

For more information visit us on: www.nexixsecuritylabs.com

To schedule an audit you can contact us on: contact@nexixsecuritylabs.com

Your Security | Our Concern