EXECUTIVE SUMMARY

• On December 13th, a recently discovered supply chain attack targeting the SolarWinds Orion platform was reported. The attackers were able to insert a malicious backdoor into Orion software updates officially released by SolarWinds.

• The attack is widespread and impacts a large number of organizations that utilize SolarWinds Orion. Attacks have already been identified across multiple verticals and regions.

• Patching is only the first step. All impacted customers should assume there are other backdoors or entry points into their environments.

• Whether it is used in IT or OT environments, if you have or had any impact versions of the software referenced below, Red Trident recommends that you conduct a compromise assessment as soon as possible.

• If you are leveraging Solarwinds Orion for any ICS/OT systems or networks, please contact us

IMPACTED PRODUCTS

Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including the following software, are impacted:

• Application Centric Monitor (ACM)
• Database Performance Analyzer Integration Module (DPAIM)
• Enterprise Operations Console (EOC)
• High Availability (HA)
• IP Address Manager (IPAM)
• Log Analyzer (LA)
• Network Automation Manager (NAM)
• Network Configuration Manager (NCM)
• Network Operations Manager (NOM)
• Network Performance Monitor (NPM)
• NetFlow Traffic Analyzer (NTA)
• Server & Application Monitor (SAM)
• Server Configuration Monitor (SCM)
• Storage Resource Monitor (SRM)
• User Device Tracker (UDT)
• Virtualization Manager (VMAN)
• VoIP & Network Quality Manager (VNQM)
• Web Performance Monitor (WPM)

ADDITIONAL RECOMMENDATIONS

• Ensure that impacted SolarWinds servers are isolated until a compromise assessment is conducted. This should include blocking all connectivity to and from IT and OT systems.

• Block outbound Internet traffic from servers or other endpoints with SolarWinds software.

• Review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

• If immediate update is not possible, Solarwinds recommends compensating controls documented here.

• Please refer to SolarWinds’ official security advisory as updates are expected to be published.

Related Articles

Mid-sized companies with IT and ICS networks CAN...

Iranian hackers have been a threat for the past decade, so should you take the newly released DHS...
Read More

Russian Invasion with Ukraine: It Finally Happened

If you would like to quickly book a discovery meeting, please use this calendar link
Read More

Mid-sized companies with IT and ICS networks CAN...

So far, we have looked at 2 very different Iranian hacker groups that operated in very different...
Read More

Mid-sized companies with IT and ICS networks CAN...

Today, we are continuing our quick overview of the most likely threats that you will face if the...
Read More