Getty Images/iStockphoto

OCR Warns of Global Supply-Chain Cyberattacks Via SolarWinds Orion

Nation-state hackers already claimed successful cyberattacks on several US government agencies and security firm FireEye, after corrupting a SolarWinds Orion update with malware.

The Office for Civil Rights urges all healthcare organizations to review a Department of Homeland Security alert, warning of ongoing global supply-chain cyberattacks. Nation-state actors trojanized previous updates to the SolarWinds Orion Platform software with malware, allowing for further exploits and espionage.

The hackers behind these at have already compromised the networks of the Departments of Treasury and Commerce's National Telecommunications and Information Administration (NTIA).

“We have been advised that this incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker,” SolarWinds officials said in a statement.

Those attackers also previously exploited the flaw during the hack on security firm FireEye.

The vulnerability is found in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which DHS officials said was released between March 2020 and June 2020.

Threat actors gained access to a host of multiple public and private organizations across the globe, by trojanizing updates to the IT monitoring and management software. According to FireEye, the global intrusion campaign is actively attacking the supply chain by trojanizing the SolarWinds’ business software updates to distribute SUNBURST malware.

“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers,” researchers explained.

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs’, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” they added.

Once the hacking group gains initial access, they use a range of techniques to hide their operations while moving laterally across the victim’s network. Researchers noted the attacker appears to prefer a “light malware footprint,” leveraging legitimate credentials and remote access for its nefarious activities within the victim’s environment.

In one method, the malware hides within network traffic by masquerading as the Orion Improvement Program (OIP) protocol, and stealthily performing reconnaissance on the victim’s network. Reconnaissance results are stored within the legitimate plugin configuration files that allow it to hide within legitimate SolarWinds activity.

Further, the provided backdoor leverages a range of obfuscated blocklists, in an effort to find forensic and antivirus tools running on the network. 

Two SUNBURST malware samples were recovered by FireEye, both delivering different payloads.

“In at least one instance the attackers deployed a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike BEACON,” researchers explained. “TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file ‘gracious_truth.jpg’, which likely has a fake JPG header.”

“Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format,”they added. “TEARDROP doesn’t have code overlap with any previously seen malware.”

Filings with the Securities and Exchange Commission revealed that of SolarWind’s 300,000 clients, 18,000 were impacted during these attacks. The campaign is believed to have started as early as Spring 2020, and FireEye stressed that the campaign is ongoing.

FireEye is continuing to track the supply-chain compromise and intrusion activity in what they’re calling UNC2452.

“Post compromise activity following this supply chain compromise has included lateral movement and data theft,” researchers explained. “The campaign is the work of a highly skilled actor, and the operation was conducted with significant operational security.”

“The actor sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment. This allows the adversary to blend into the environment, avoid suspicion, and evade detection,” they continued.

Immediate Mitigation Measures

FireEye’s research contains a host of detection opportunities to assist organizations in determining whether they’ve been impacted. And entities have been urged to immediately apply recommended mitigation measures to prevent falling victim.

SolarWinds urged all clients using affected Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to immediately upgrade to the Orion Platform version 2020.2.1 HF 1 to ensure the network is secured.

If an update cannot be immediately applied, organizations should ensure they’ve at least implemented the latest version of the host operating system, application, and network security updates, while ensuring the Orion Platform is not exposed to the internet.

All unnecessary ports, protocols, and services across the network and on applications should be disabled, and administrators must apply appropriate segmentation on network controls where the SolarWinds Orion Platform is deployed.

Entities should implement strict access controls and auditing within the infrastructure and network layers, including limiting access to Orion servers to only authorized individuals who require access for work-related duties.

Network security controls must be layered, including leveraging application load balancers and setting appropriate firewall rules to limit network traffic.

“Do not create local Orion-based accounts,” SolarWinds officials added. “We recommend at minimum utilizing Windows Authentication, or implementing a SAML v2 based solution, if you cannot integrate Windows or SAML-based authentication.”

“Ensure you configure account settings and leverage both account and view limitations, along with module-specific roles only for the tasks they require in their role,” they concluded.

Nation-state actors have been actively targeting the healthcare sector, with the activity ramping up with the release of vaccines around the world. Earlier this month, North Korean hackers targeted AstraZeneca with a mass phishing campaign, while nation-state actors gained access to data on the first authorized COVID-19 vaccine from Pfizer and BioNTech after hacking the European Medicines Agency.

Healthcare delivery organizations should review guidance from Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) to manage tactical crisis response during an emergency, like the COVID-19 crisis.

Next Steps

Dig Deeper on Cybersecurity strategies