This is an unprecedented attack.
I can only imagine CTO’s, CIOs and CEO’s all over the world asking:
- Is SolarWinds running on any of our servers?
- How did they compromise the update and could our updates be compromised in similar fashion
Imagine you are Intel, Microsoft, or Google, whose software is routinely updated to nearly everyone’s PC’s.
Reading through a few resources: (The fireeye is far far better)
So, according to Fireeye:
SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
This means that all companies that downloaded the update since then are at risk. My take is that while this likely compromised tens of thousands of companies (at a minimum), the hackers likely just set up an admin account for later activity if and when they want to do something nefarious.
However, for the targets they were looking for and were compromised, I’m guessing that they are so far compromised that their entire infrastructure will need to be rebuilt from scratch. Having admin access for months would allow so many backdoors and backup-backdoors created, there is no way of cleansing a system without just rebuilding it completely.
Looking at SolarWind and the update that was compromised, I’m having a hard time coming up with a scenario that doesn’t include an internal person putting this in place - I try in the next paragraph to outline how that might have worked. This is because software updates are notoriously idiosyncratic processes. It’s a build process - you check out code, do the build and then it’s signed but I’ve never seen two groups let alone two companies ever use the same process. Saying that SolarWind’s update was compromised means that someone likely slipped code into their build.
Reaching really far into trying to figure out how this could have been done without an internal person - someone internal decided to use a 3rd party dll as part of their build and that 3rd party dll was the infected portion. This happens all the time b/c people want to save time and finding a tool that helps you is enough incentive to use these 3rd party dll’s.
It will be interesting in the coming weeks to see all the companies that are compromised. We will likely only see a fraction of those b/c admitting you were a target is a problem unto itself.