SolarWinds says it has purged the malware responsible for recent attacks on US government departments.
The attack, which is believed to be the work of Russian hackers, is known to have hit the US State Department, the Department of Homeland Security and parts of the Pentagon – although all organisations that downloaded the affected software between March and June 2020 could have been affected.
The company estimates that around 16 000 users may have downloaded the compromised update.
The attack was made possible by the Sunburst vulnerability in SolarWinds’ Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
The company explains that a supply chain attack like this causes a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.
“In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention,” SolarWinds states. “We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.
“We want to assure you we’ve removed the software builds known to be affected by the Sunburst vulnerability from our download sites,” it adds.
“Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this Sunburst vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by the Sunburst vulnerability.”
There has also been reports about a different piece of malware, Supernova, which SolarWinds has been investigating.
It has concluded that Supernova is not malicious code embedded within the builds of Orion Platform as a supply chain attack, but is malware that is separately placed on a server that requires unauthorised access to a customer’s network and is designed to appear to be part of a SolarWinds product.
The Supernova malware consisted of two components, the company adds. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilisation of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.