SolarWinds Orion - How Armis Helps Protect Your Organization

By Nadir Izrael, CTO & Cofounder

This week, SolarWinds disclosed that they had been victim of a cyber attack earlier this year. SolarWinds acknowledged that the attackers inserted malicious code within certain builds of their Orion Platform software which were subsequently distributed to many customers. This breach comes on the heels of FireEye’s announcement that it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools the company provides to clients to help secure their IT operations. It is also known that the SolarWinds vulnerability was used to breach FireEye.

Armis Can Help 

To identify presence of the malicious code, it is important to look for anomalous behavior indicative of its presence. The Armis platform has the ability to look at current and historical traffic patterns, and identify connections to command and control (C2) servers utilized as part of the malicious code execution. Armis provides continuous monitoring for and can detect Indicators of Compromise (IOC) by identifying traffic to specific IPs or domains known to be C2 servers such as:

  • avsvmcloud.com
  • freescanonline.com
  • deftsecurity.com
  • thedoccloud.com
  • websitetheme.com
  • highdatabase.com
  • incomeupdate.com
  • databasegalore.com
  • panhardware.com
  • zupertech.com
  • virtualdataserver.com
  • digitalcollege.org

For the latest updates on IOCs regarding the SUNBURST malware, please refer to the CISA advisory. SolarWinds has provided a security advisory and hot fixes, and is asking customers with any affected versions of the Orion platform to upgrade as soon as possible to ensure the security of their environment. Armis discovers and classifies every device on the network, and can detect all systems that are running SolarWinds that exist at any time on the network. Using Armis, customers can search for affected systems to identify which ones are vulnerable and need to be updated. Further, the Armis Threat engine has been updated to not only identify SolarWinds, but also the FireEye Red Tools.

The Risk

Orion is a centralized platform, targeted for assisting IT in managing various network infrastructure devices, as well as VoIP systems, and more. It had been widely reported that attackers leveraged the SUNBURST malware to carry out follow-up attacks on Active Directory, harvesting credentials, and changing configurations of organization’s authentication and authorization mechanisms. 

However, it is still unclear the full extent of the actions taken by the attackers. Given the access Orion has, and the centralized position it holds in the network, additional devices and network infrastructure devices (such as switches, routers, firewalls, etc.) might be at risk by this attack. Having the ability to preserve a presence in target networks, by installing a RAT within the infrastructure itself, can be a uniquely challenging threat to eliminate. 

This threat becomes even more tangible, given the recent history of the particular threat actor, in which IoT devices (such as VoIPs and Printers), was specifically used to preserve presence on target networks. This was shown by a blog from Microsoft, in August 2019, and later in an advisory by the NSA, both detailing the methods of this threat actor to leverage IoT devices, as a stronghold on the network.

Moving Forward

The Armis platform can help you quickly find vulnerable systems and create policies to alert you to their presence. With the Armis Standard Query tool, it is simple to find applications such as SolarWinds in your environment. We maintain a history that includes communications information which is useful for identifying and investigating if an attack has happened in the past. Armis has 100% visibility to everything here - the compromised product, the activity history of the compromised product, and the attacks themselves. 

From visibility to detection, investigation and remediation. We can identify / see Orion, we can see if it's vulnerable and we can see if there was an attack / there is an attack / any future attack.

Armis threat research teams are constantly tracking emerging attacks, and are specifically focused on monitoring threats to network infrastructure, telecommunication systems, and any other benign-looking, unmanaged device, that might be targeted by SUNBURST, or any future malware.

Have our blog posts sent to your inbox.