State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Supply Chain Security – The SolarWinds Cyberattack

Garden State Cyber Threat Highlight

Original Release Date: 12/17/2020

Summary

On December 13, the cybersecurity firm FireEye detailed a coordinated supply chain cyberattack in which threat actors gained access to the update server for SolarWind’s IT monitoring and management software Orion. The actors were able to upload malicious software updates to the server, which included a backdoor trojan – dubbed SUNBURST – that was digitally signed with a SolarWinds certificate. The malicious software was then pushed to customers as they updated the Orion software. Orion is used by thousands of public and private sector organizations worldwide, including many US government agencies. SolarWinds estimates that up to 18,000 customers have installed at least one of the malicious updates, though the presence of a malicious Orion software version does not necessarily indicate further network compromise. Additionally, one of the malicious domains used for communications has been seized and reconfigured into a “killswitch” to help prevent the malware from operating. CISA reports that the Orion supply chain compromise was not the only initial infection vector leveraged by this advanced persistent threat (APT) actor. It is widely believed that the threat actors behind the cyberattack are highly sophisticated, persistent, and well-resourced. This attack will have significant lasting implications.

These types of cyberattacks can occur even when an organization has a highly-effective cybersecurity program that employs best practices and industry standards. Supply chain management programs can help to reduce the risk posed by vendors/third-parties, as can implementing a defense-in-depth cybersecurity strategy that includes layered defenses. In addition, it is vital to reduce a network’s attack surface by disabling unused ports and preventing unnecessary internet access to systems. For more information on supply chain security, review the NJCCIC This is Security post.

Recommendations

The NJCCIC advises organizations using SolarWinds Orion software to determine if a malicious update was installed on their network and, if so, investigate whether additional malicious activity occurred, such as subsequent connections to command and control nodes. FireEye, SolarWinds, CISA, and Microsoft provide additional details, indicators of compromise, and recommendations for remediation. As investigations continue, additional details and indicators of compromise will likely be revealed. SolarWinds Orion customers are recommended to upgrade to version 2020.1.2 hotfix 2 as soon as possible after appropriate testing.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.