Skip to main content

FireEye identifies global campaign leveraging malicious updates to SolarWinds software.

Alert status
HIGH

Background

On 14 December 2020, the ACSC issued an initial alert regarding potential compromise of the SolarWinds Orion software. This alert was informed by an announcement from cyber security company FireEye, who were monitoring a global intrusion campaign linked to compromise of the SolarWinds Orion software supply chain. 

Update

As of 25 January 2021, the ACSC has received a number of reports from Australian organisations notifying that they were operating vulnerable versions of SolarWinds Orion. To date, no follow-on compromise of an Australian organisation through SolarWinds Orion has been identified.

The compromise of the supply chain meant that that organisations that were running SolarWinds Orion may have inadvertently installed malicious additions through normal update processes. The malicious software (malware) associated with the supply chain compromise is being referred to as SUNBURST. 

Following the identification of SUNBURST, additional malware associated with the SolarWinds Orion supply chain compromise has been identified. These are commonly being referred to as TEARDROP and RAINDROP and have been identified during investigations of follow-on compromises of affected organisations.

During investigations of the supply chain compromise, additional malware targeting SolarWinds Orion was identified. This second set of malicious software is being referred to as SUPERNOVA. The SUPERNOVA malware is not believed to be related to the supply chain compromise, instead targeting an unrelated vulnerability in SolarWinds Orion.

Mitigation

SolarWinds have identified the vulnerabilities exploited by the compromise and issued patches for affected SolarWinds Orion versions.

Accordingly, ACSC’s recommendation for mitigating potentially vulnerable versions of SolarWinds Orion is to apply the latest patches from SolarWinds as soon as possible. This recommendation applies to mitigate against both the SUNBURST and SUPERNOVA malware.

If immediate patching is not possible, the ACSC recommends vulnerable SolarWinds Orion instances be isolated from the internet and internal network connections minimised.

Additional information and supporting tools

The US Cyber security and Infrastructure Security Agency (CISA) has published a number of alerts regarding detection and mitigation of potential compromises of SolarWinds Orion, including CISA and third-party tools that may aid in the detection of follow-on compromise through SolarWinds.

Additionally, the ACSC encourages all organisations to continually assess and apply the Essential Eight strategies to protect their systems.

Assistance

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.