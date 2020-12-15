ExtraHop press statement: SUNBURST backdoor vulnerability found in SolarWinds Orion IT monitoring

December 2020 by Jesse Rothstein, CTO and co-founder, ExtraHop

Attributed to Jesse Rothstein, CTO and co-founder, ExtraHop

Nation-states have means of stealing information through traditional espionage. They could bribe or extort company employees or even place operatives within the organization. The reason we are seeing an uptick in sophisticated cyber attacks is geopolitical. That is, for better or worse, it’s accepted that nation-states can operate in the cyber theatre with relative impunity. Until this changes, companies should expect more of these operations.

The SUNBURST backdoor is a supply-chain attack involving a trojanized update to the popular SolarWinds Orion IT monitoring and management suite. The backdoor affects servers running the Orion software, which are often less defended than end-user laptops or critical applications. Given the resources and sophistication of these threat actors, including the use of supply chain attacks against infrastructure and workloads, traditional defenses are ineffective and organizations should prioritize network detection. Because the network is as close to ground truth as you can get, difficult to evade, and impossible to turn off, sophisticated analysis of network data offers the best opportunity to detect, investigate, and respond to these threats before a breach can occur.

This vulnerability has a wide potential for damage due to the large installed base of SolarWinds Orion software. The attack appears to have been underway for some time. ExtraHop analysis of DNS registration information indicates that the SUNBURST attack campaign can be traced back to February 26th, 2020. This appears to be when the Command and Control (C&C) domain name avsvmcloud[.]com was first registered, and the site went active on April 15, 2020.