Hacking attacks on SolarWinds customers

Kiel - SolarWinds sells network and security products to more than 300,000 customers worldwide, including the US military and the Pentagon. According to the information provided by the manufacturer, software builds of the SolarWinds® Orion® platform for versions 2019.4 HF 5, 2020.2 and 2020.2 HF 1 were infiltrated with a remote access Trojan called "Sunburst". The gate for cyber attacks on the affected systems has thus been opened wide.

How should companies having been compromised react immediately?

In most cases, a forensic analysis as well as a subsequent restart of the affected systems including the accessible network components is inevitable. As a rule, the attackers only get to work after a few days. They use the access via the Trojan often undetected for up to several weeks for a lateral movement (hidden procedure and dissemination) and attack on other systems in the company concerned. Ideally, an incident response team is available to find the weak points and immediately neutralize the attacker. The next step should be a damage analysis by security experts.

Can companies still take preventive action in such cases?

Intrusion detection and prevention solutions (IDS / IPS) can detect and prevent such attacks. A powerful vulnerability management not only includes the software and hardware, but also the people who operate them via User Behavior Analysis (UBA). Logging with a suitable SIEM system would reveal unusual data streams of the Trojan.

The manufacturer could have prevented the current situation through a structured deployment chain with unit tests and automatic code analysis as well as strict versioning and version checking.

The security experts from Consist therefore not only provide support in an emergency with restoring proper operations, but also in setting up an efficient and preventively effective security system.

Further information:
- Consist-Security: de/it-security
- SolarWinds-Trojaner: de/news/Trojaner-in-SolarWinds-Updates-ermoeglicht-Cyberangriffe
- SolarWinds Security Advisory: solarwinds.com/securityadvisory