Solarwinds ORION delivers backdoor Trojan to worldwide networks

Fireye detected that Solarwinds Orion is being used by attackers to steal sensitive company data.

Fireye’s threat research division found that a highly sophisticated and evasive attacker compromised the Solarwind’s Orion IT monitoring and management platform to deliver a backdoor trojan. It is suspected that the campaign has started as early as April 2020 and is currently ongoing. It appears the attackers were moving laterally across networks and stealing data.

Fireye stated that after it sits dormant for up to two weeks, it retrieves and executes command from command-and-control servers on the internet. The commands it downloads allow for the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware disguises its network traffic and stores the data collection within legitimate Solarwinds’ plugin configuration files.

“FireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.”

It is important to note that Fireye only detected this for businesses that use their products. It is very likely there are others that are affected.

What is the takeaway here?

Many internal IT teams and IT managed service providers use the popular Solarwinds products to manage and monitor networks.

Elteni encourages you to check with Internal IT teams or your IT managed service provider to determine if any Solarwinds products are in use, including ORION, and if they are, have the IT Teams immediately assess the environment and patch Solarwinds.

Remote monitoring and management tools are often disregarded as a potential threat to a business because the name implies the opposite. Remote monitoring and management tools that can establish any type of connection outbound or allow a connection inbound should be treated as a hole in your network, and should be monitored and reviewed on a periodic basis.

Elteni’s risk assessments, penetration tests, and vulnerability assessments can help you detect these holes in your environment.