Assessing Internet-wide Exposure to the SolarWinds Compromise
This blog post was last updated on:
January 26, 2021
Censys has continued to update this blog and a detailed account of updates can be found at the end of this blog post.
As of January 25, 2021, Censys observed 1,561 Orion hosts across the Internet. The top locations of these hosts are the following:
- United States – 549
- United Kingdom – 90
- China – 53
- India – 46
- Iran – 56
This new scanning data on our Universal Internet DataSet suggests an increase in the number of Internet-facing Orion hosts since the Internet-wide inventory on December 28, 2020 with things seemingly leveling out as we continue moving through January.
Overall, we saw a downtrend in public-facing Orion servers going into the holidays, with a good uptick starting in the new year. Orion hosts should not be Internet-facing, so it is concerning to see any results in our Internet-wide scanning data at all. However, given the trends we have seen since mid-December, based on our investigation we hypothesize the decrease and later uptick is due to a two part phenomena:
- Organizations tearing down SolarWinds servers and patching them, then bringing them back online, and
- Organizations misconfiguring these servers by directly exposing them to the Internet where they were once not exposed.
The second hypothesis is especially worrying, due to the fact this could potentially be creating new attack vectors by expanding their attack surface. Additionally, given Censys’ ability to conduct port-independent Internet-scanning, providing visibility of all hosts exposed to the Internet independent of ports, we also found attempts to “hide” services by putting them behind an unusual port.
Further investigation uncovered a similar trend since mid-December with regard to port diversity. At the beginning of our investigation, we saw a steady downward slope in the different ports used to host Orion servers, but then a similar steady increase beginning on December 29, 2020. This may suggest that as organizations patch and bring their SolarWinds Orion hosts back online, they are using different ports, which may not be a part of their filtering rules.
What is the issue?
Sunday night (December 13, 2020), FireEye published a detailed account of the SolarWinds compromise that impacts customers of the SolarWinds Orion product. Censys regularly conducts Internet-wide scanning to inventory exposed hosts and services. Based on this data and Internet-wide visibility, Censys can determine some sense of the impact of this compromise through public-facing Orion hosts, and relevant C2 information provided by the FireEye team.
According to SolarWinds, “SolarWinds Orion is an IT performance monitoring platform that helps businesses manage and optimize their IT infrastructure. SolarWinds provides a wide array of IT monitoring and management solutions.” The Orion platform is an on-premise product that is installed as part of an organization’s IT ecosystem.
A sophisticated attack was launched, whereby malicious code was injected into a DLL which was sent in a subsequent SolarWinds update. So far, the impact of this issue is not fully understood. However, early reporting from the Washington Post, New York Times, and Reuters indicate that the issue impacts the U.S. Treasury and Commerce Departments, as well as a number of industries such as consulting, technology, telecom, and oil and gas companies around the globe. According to the SEC filing on December 14, 2020, SolarWinds shared that potentially 18,000 of their customers have been impacted by this compromise.
CISA also issued an Emergency Directive quoting Acting Director Brandon Wales, “‘The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks … Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.’”
On December 31, 2020, SolarWinds updated their security advisory with details about SUPERNOVA, a web shell left by a second threat actor. In this case, the attack method targeted SolarWinds services directly, through a previously unknown (0day) vulnerability in the SolarWinds Orion API service. This vulnerability, CVE-2020-10148, allows unauthenticated remote file reads and command execution as a privileged user. As of December 28th, 2020, there is a publicly available exploit demonstrating the attack vector. A patch for this vulnerability was released on December 23rd, 2020. Users of SolarWinds Orion are urged to patch this issue as soon as possible. Censys has reached out to several organizations and cloud providers that have public-facing SolarWinds instances to inform them of this new threat, and the existence of SolarWinds exposed publicly, as well as steps to mitigate or remediate the issue.
Who does this impact?
As of January 25, 2021, Censys identified 1,561 Orion hosts through our Internet-wide scan. We used queries on our Universal Internet DataSet, once including new scanning data from port 17778, searching for TLS certificates and html tags associated with SolarWinds Orion.
Additional investigation showed that the majority of these hosts are located in the United States. A further breakdown can be found below, highlighting the top 5 countries with the greatest number of hosts and percentage of total hosts.
|Country||# of Hosts||Percentage of Total|
We took a sampling of these host IP addresses and identified the following industries potentially impacted:
- Government Organizations
- Industrial Goods and Services
- Consumer Services
- Real Estate
What to do about it?
The US Cybersecurity and Infrastructure Security Agency issued an initial Emergency Directive late on Sunday, December 13, 2020 and then an updated Supplemental Advisory on December 30, 2020. The December 30th directive advised “all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” (below) are required to use at least SolarWinds Orion Platform version 2020.2.1HF2”. Please see the supplemental directive for details on which versions are “affected”.
Practitioners should also check for compromise by looking at logs for DNS resolutions to the DGA C2 domain, avsvmcloud[.]com. Samples of resolved names have already been uploaded to pastebin: https://pastebin.com/T0SRGkWq. FireEye released additional indicators (Yara, Snort, ClamAV, IOC) on their GitHub for the SUNBURST malware.
For more information about the compromise of SolarWinds, please find resources below. For all press inquiries, please contact [email protected]
- FireEye SolarWinds Analysis: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- FireEye’s Additional Threat Hunting Rules: https://github.com/fireeye/sunburst_countermeasures
- Supplemental DHS Emergency Directive updated January 6, 2021: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3
- Microsoft’s DLL Analysis: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- Using Censys Search Free / Pro for Remediation: http://censys.io/solarwinds-tracking-using-censys-search
January 19, 2021: Updated blog post by re-running a query on our Universal Internet DataSet to identify Internet-facing Orion hosts.
January 12, 2021: Updated blog post by re-running a query on our Universal Internet DataSet to identify Internet-facing Orion hosts.
January 4, 2021: Updated blog post by re-running a query on our Universal Internet DataSet to identify an uptick in visible, Internet-facing Orion hosts coming online in the new year.
December 30, 2020: Added context and resources related to the Supplemental Emergency Directive by DHS stating, “given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.”
December 29, 2020: Censys performed an additional inventory of Internet-facing Orion hosts and added context around the recent SUPERNOVA malware.
December 21, 2020: Censys performed an additional inventory of Internet-facing Orion hosts.
December 16, 2020: Censys added port 17778 to the scans of our Universal Internet DataSet used by SolarWinds to inventory a significant number of Internet-facing hosts associated with SolarWinds Orion.
December 15, 2020: Initial publication of our blog without port scanning data from 17778.