SolarWinds Supply Chain Attack Alert

On December 13, 2020, FireEye issued an analysis report on the SolarWinds Supply Chain Attack report. SolarWInds products have a one-year supply chain attack, and multiple backdoors have been implanted in their products.
The backdoor program has been introduced by SolarWInds official application in March 2020, users who use SolarWinds need to install the update and repair it immediately.
SolarWinds Inc. is an American company that provides software for companies to help manage their networks, systems, and information technology infrastructure. According to its official website profile, SolarWinds’ customers include Fortune 500 companies, all the top ten telecommunications companies in the United States, the U.S. forces, the U.S. State Department, the National Security Agency, and the Office of the President of the United States.

According to the official security bulletin issued by SolarWinds, the 2019.4 and 2020.2.1 versions of the SolarWinds Orion platform software released between March and June 2020 are all affected by supply chain attacks. There are malicious backdoor applications in the installation packages of these versions.

Dutch police decrypted IronChat

These malicious installation packages bypassed the check with SolarWinds’ digital certificate. After installing the update, a SolarWinds.Orion.Core.BusinessLayer.dll file will be released, which is loaded by the Orion platform as an additional plug-in through SolarWinds.BusinessLayerHostx[64].exe.

The backdoor will operate according to the instructions returned by C2 after a sleep period of up to two weeks. “It retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The backdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as the Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers.

At the same time, all network communications of the malicious program will be disguised as the network traffic of the Orion Improvement Program (OIP) protocol, and the results of the communications will be stored in a legal plug-in configuration file so that it can seamlessly integrate with SolarWinds’ own activities, and then achieve the purpose of concealment.

This backdoor application is also included in the SolarWinds upgrade program. If the system administrator installed the update during March-June 2020, he would be affected by the attack.