Network monitoring services provider SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was exploited to insert malware and breach public and private entities in a wide-ranging espionage campaign.
In a new update posted to its advisory page, the company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately to secure their environments.
The malware, dubbed SUNBURST (aka Solorigate), affects Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
“Based on our investigation, we are not aware that this vulnerability affects other versions—including future versions—of Orion Platform products,” the company said.
“We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our other products or agents contain those markers.”
It also reiterated none of its other free tools or agents, such as RMM and N-central, were impacted by the security shortcoming.
Microsoft Seizes Domain Used in SolarWinds Hack
While details on how SolarWinds’ internal network was breached are still awaited, Microsoft yesterday took the step of taking control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems.
The Windows maker also said it plans to start blocking known malicious SolarWinds binaries starting today at 8:00 AM PST.
Meanwhile, security researcher Mubix “Rob” Fuller has released an authentication audit tool called SolarFlare that can be run on Orion machines to help identify accounts that may have been compromised during the breach.
“This attack was very complex and sophisticated,” SolarWinds stated in a new FAQ for why it couldn’t catch this issue beforehand. “The vulnerability was crafted to evade detection and only run when detection was unlikely.”
Up to 18,000 Businesses Hit in SolarWinds Attack
SolarWinds estimates that as many as 18,000 of its customers may have been impacted by the supply chain attack. But indications are that the operators of the campaign leveraged this flaw to only hit select high-profile targets.
Cybersecurity firm Symantec said it identified more than 2,000 computers at over 100 customers that received the backdoored software updates but added it did not spot any further malicious impact on those machines.
Just as the fallout from the breach is being assessed, the security of SolarWinds has attracted more scrutiny.
Not only it appears the company’s software download website was protected by a simple password (“solarwinds123”) that was published in the clear on SolarWinds’ code repository at Github; several cybercriminals attempted to sell access to its computers on underground forums, according to Reuters.
In the wake of the incident, SolarWinds has taken the unusual step of removing the clientele list from its website.