• On December 13th, a recently discovered supply chain attack targeting the SolarWinds Orion platform was reported. The attackers were able to insert a malicious backdoor into Orion software updates officially released by SolarWinds.
• The attack is widespread and impacts a large number of organizations that utilize SolarWinds Orion. Attacks have already been identified across multiple verticals and regions.
• Patching is only the first step. All impacted customers should assume there are other backdoors or entry points into their environments.
• Whether it is used in IT or OT environments, if you have or had any impact versions of the software referenced below, Red Trident recommends that you conduct a compromise assessment as soon as possible.
• If you are leveraging Solarwinds Orion for any ICS/OT systems or networks, please contact us
Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including the following software, are impacted:
• Application Centric Monitor (ACM)
• Database Performance Analyzer Integration Module (DPAIM)
• Enterprise Operations Console (EOC)
• High Availability (HA)
• IP Address Manager (IPAM)
• Log Analyzer (LA)
• Network Automation Manager (NAM)
• Network Configuration Manager (NCM)
• Network Operations Manager (NOM)
• Network Performance Monitor (NPM)
• NetFlow Traffic Analyzer (NTA)
• Server & Application Monitor (SAM)
• Server Configuration Monitor (SCM)
• Storage Resource Monitor (SRM)
• User Device Tracker (UDT)
• Virtualization Manager (VMAN)
• VoIP & Network Quality Manager (VNQM)
• Web Performance Monitor (WPM)
• Ensure that impacted SolarWinds servers are isolated until a compromise assessment is conducted. This should include blocking all connectivity to and from IT and OT systems.
• Block outbound Internet traffic from servers or other endpoints with SolarWinds software.
• Review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
• If immediate update is not possible, Solarwinds recommends compensating controls documented here.
• Please refer to SolarWinds’ official security advisory as updates are expected to be published.