State-backed hackers are targeting government entities and private businesses all over the world in a global supply chain attack, in which they deploy a malicious SolarWinds upd ate to compromise networks, according to a new report from the cybersecurity firm FireEye.
FireEye’s revelation comes after reports that emerged on Sunday about cyber attacks against computer networks of the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA). According to the reports, the hackers have been monitoring internal email traffic at the U.S. Treasury and Commerce departments. The intrusions are believed to be the work of the APT29 (Cozy Bear) hacker group.
The cyber attack was so serious it led to a National Security Council meeting at the White House on Saturday, Reuters reported citing people familiar with the matter.
FireEye’s own network was also the target of the SolarWinds supply chain attack, which resulted in the theft of the company’s Red Team tools. The hackers got access to a se t of scripts, tools, scanners, and techniques that mimic the behavior of many cyber threat actors. None of them contained zero-day exploits, the company said in an announcement disclosing the security breach.
In the new technical report FireEye said that the discovered supply chain attack, which the company tracks as UNC2452, involves malicious SolarWinds Orion business software updates deployed in order to distribute a backdoor called SUNBURST. The campaign has been active since at least this spring and is still ongoing, the company warned.
During the investigation FireEye discovered that SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally-signed component of the Orion software framework, contains a backdoor, which connects to third party servers via HTTP.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers,” the report said.
According to the researchers, multiple trojanized updates were digitally signed from March - May 2020 and published to the SolarWinds updates website.
In a security advisory SolarWinds said that the supply chain attack targets SolarWinds Orion software versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. The company advises its customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to prevent the attack.
“An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements,” SolarWinds said.