Illusive Networks Advisory – SolarWinds Supply Chain Attack

Since last week and continuing into this week, details of the attack first perpetrated on FireEye and subsequently on the US Government Departments of Treasury and Commerce continue to evolve. We now know that the attack’s origin was the SolarWinds Orion IT management software versions 2019.4 HF 5 and 2020.2 HF 1, containing a backdoor (Sunburst). According to the FireEye analysis, this campaign may have started as early as spring 2020. We recommend you follow the remediation guidelines from SolarWinds, and any other organizations directly involved in the attack.

It’s still early, and industry knowledge about the attack remains incomplete, nevertheless we have learned enough to start developing plans to assess and reduce risk for organizations running the affected versions of SolarWinds Orion software. In this attack, as with most other advanced attacks like APTs and the new forms of targeted (human-operated) ransomware, attackers establish an initial beachhead, surveil their surroundings and move laterally to harvest privileged credentials that give them access to valuable information – “crown jewels”.
Read More