Update 12/14: We note there is a discrepancy in guidance coming from DHS and SolarWinds. The SolarWinds advisory suggests users upgrade to the latest version, Orion Platform version 2020.2.1 HF 1, while DHS guidance says 2020.2.1 HF1 is affected. However, we note that SolarWinds announced they will be releasing another hot-fix, 2020.2.1 HF 2, on December 15, which “replaces the compromised component and provides several additional security enhancements.” Talos urges customers to follow DHS guidance at this time and install 2020.2.1 HF 2 as soon as it becomes available.
Cisco Talos is monitoring yesterday's announcements by FireEye and Microsoft that a likely state-sponsored actor compromised potentially thousands of high-value government and private organizations around the world via the SolarWinds Orion product. FireEye reported on Dec. 8 that it had been compromised in a sophisticated attack in which state-sponsored actors stole sensitive red team tools. Upon investigating the breach further, FireEye and Microsoft discovered that the adversary gained access to victims' networks via trojanized updates to SolarWinds' Orion software.Threat activity details
In another sophisticated supply-chain attack, adversaries compromised updates to the SolarWinds Orion IT monitoring and management software, specifically a component called "SolarWinds.Orion.Core.BusinessLayer.dll" in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is being tracked by FireEye as SUNBURST, and it can communicate to third-party servers using HTTP. The backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss.After a pe ..
Support the originator by clicking the read the rest link below.
