According to the official security bulletin issued by SolarWinds, the 2019.4 and 2020.2.1 versions of the SolarWinds Orion platform software released between March and June 2020 are all affected by supply chain attacks. There are malicious backdoor applications in the installation packages of these versions.
These malicious installation packages bypassed the check with SolarWinds’ digital certificate. After installing the update, a SolarWinds.Orion.Core.BusinessLayer.dll file will be released, which is loaded by the Orion platform as an additional plug-in through SolarWinds.BusinessLayerHostx.exe.
The backdoor will operate according to the instructions returned by C2 after a sleep period of up to two weeks. “It retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The backdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as the Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers.”
At the same time, all network communications of the malicious program will be disguised as the network traffic of the Orion Improvement Program (OIP) protocol, and the results of the communications will be stored in a legal plug-in configuration file so that it can seamlessly integrate with SolarWinds’ own activities, and then achieve the purpose of concealment.