In what may be known as the biggest hack of the decade, a malicious update to SolarWinds’s Orion software has opened a backdoor into potentially thousands of businesses. Orion is a software platform for IT management and monitoring. With that in mind, it’s easy to see why this software would be on so many servers as it’s designed to help IT admins manage the quickly expanding infrastructure that powers modern businesses. SolarWinds hasn’t given a ton of updates on the situation but security experts have helped fill in the gaps in the information. Here’s what we know at this time and I recommend if you’re technical to read more in the references linked below.
Updates to the Orion platform in the March 2020 to June 2020 range included malicious code. Since this malicious code was attached to an official update it was impossible for end users to know they were installing what would become a backdoor into their networks. In addition this method meant it was more difficult to detect.
How Does the SolarWinds Hack Work?
As mentioned above the malicious code was attached to standard updates to the Orion software platform. The updates in question are 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. Once these updates were installed on the customer’s servers then the malicious code will lie dormant for up to two weeks. After this dormant period it will then reach out the third party(IE Not SolarWinds) servers.
At this point the hack changes shape and becomes much more targeted. The hackers can send jobs that can both extract data and also to further infiltrate the affected networks.
How Many People Were Affected?
It’s unclear how many of the Orion users were actively hacked. What we do know is that over 30,000 businesses and government agencies use the Orion software platform. Out of those, SolarWinds has issued a statement that “only” 18,000 of those customers have installed the malicious update. The image below shows detections by Microsoft from their Windows Defender application.
What we do know is that SolarWinds did business with a lot of government agencies in both the United States and abroad as well as over 80% of the Fortune 500 companies. The question now becomes how many of those customers were actively hacked. This question is something that we can’t answer right now and it’ll be weeks, possibly months before that answer can be given.
Microsoft for instance is on this list and have issued statements that even though they were affected, they have found no evidence that the hackers further infected their systems.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
If this intro to the SolarWinds hack got you interested, here are several great sources to read/watch to learn more.