SolarWinds Backdoor "Sunburst"

SolarWinds Backdoor "Sunburst"

SolarWinds backdoor "Sunburst"

It's on everyone's lips: the Sunburst hack. In a supply chain attack via updates to the software  "Orion" from SolarWinds attackers infiltrate a Trojan and thereby gain access to the networks of various public institutions, US authorities and companies worldwide. The impact of this attack is enormous. At this point, we want to look at both the technical and the social side.

What is Sunburst?

A program library (DLL) of the SolarWinds software Orion contains a backdoor known as Sunburst. Orion is a highly customisable software for managing and monitoring IT systems that is used in data centres, among other places. The compromised versions of Orion are 2019.4 HF5 to 2020.2.19.0. The malware is distributed via automatic updates. After a short wait, the malicious DLL SolarWinds.Orion.Core.BusinessLayer.dll, connects to the domain avsvmcloud[.]com and subdomains with the following strings:

  • eu-west-1

  • eu-west-2

  • us-east-1

  • us-east-2

Once the Trojan is in a system, it can penetrate further into the network via "lateral movement" and compromise or exfiltrate data. The DNS and http requests to the malicious domains are designed to mimic regular SolarWinds API communication. Depending on the user used, the Sunburst hackers are able to execute various commands . These include:

  • Registry operations (read, write and delete registry keys/entries)

  • File operations (read, write and delete files)

  • Run/stop processes

  • Reboot the system

But not only that, the malware also uses other methods to disguise itself: it can camouflage DNS queries using a domain name generation algorithm or hide code using fake variable names.

The Sunburst malware was discovered by the IT security company FireEye, which was itself compromised by it. The attack has been going on for months, possibly since spring 2020.

How did the hack succeed?

The success of the attack can be traced back to an inadequate password policy on the part of SolarWinds, to put it mildly  . The password for taking over the manipulated update server was solarwinds123. Unfortunately, this inadequate password also appeared in publicly accessible documentation. This made it easy for the hackers to take over the server and distribute malware. However, the complexity of the malware and the effectiveness of the Trojan's camouflage suggest that professional hackers are behind it. It is currently still suspected that the group APT29 or also Cozy Bear is involved.

The extent is still uncertain

One thing is certain: the extent is already enormous. But the extent of the full damage is still completely unclear. Experts estimate months, if not years, until all systems have been cleaned up and secured. It is therefore not yet possible to predict what technical and security policy consequences the incident will have. It is not yet clear why the investment firms Silver Lake and Thoma Bravo, both majority owners of SolarWinds, sold shares worth 286 million dollars six days before the hack became known.

Image

The Sunburst hack is a Glober cyberattack

What makes SolarWinds so interesting for hackers?

SolarWinds is highly interesting for spies, such as criminal hackers, because the Texan company is a managed service provider . In other words, it is part of an IT supply chain on which large organisations and companies depend. These include, to name just a few, the US Department of the Treasury, Department of Commerce, Department of Homeland Security, Department of State and parts of the Pentagon. But also large corporations such as Cisco and Microsoft. A total of 33,000 companies use the Orion platform from SolarWinds. So far, 18,000 companies are known to be affected.

Meanwhile, the BSI is investigating the situation in Germany. According to their own statement, they are "aware that companies in Germany are using SolarWinds software. The number of people affected is low according to current knowledge.

Max Mustermann

Microsoft, itself affected by the hack, has taken over the largest domain used by the attackers to control their malware. They are also blocking the compromised version of the software to bring the attack to a halt.

Is there any protection?

The best measure is to install the secured version 2020.2.1 HF 2 of Orion provided by SolarWinds.

However, it is advisable to consider further measures:

  • Run a virus scanner to detect compromised SolarWinds libraries.

  • Isolate SolarWinds servers.

  • Block all Internet outlets from SolarWinds servers.

  • Make sure that no malware is present before restoring the systems. Search the relevant logs for specified IOCs. 

  • Change passwords for accounts that have access to SolarWinds servers or infrastructures.

  • Create a backup that is stored offline. This will allow you to restore all files in the event of a compromise.

As with all forms of attack, we also recommend using a second authentication factor. This prevents access data from being reused if it has been compromised.

Sources:

https://www.solarwinds.com/securityadvisory

https://securityaffairs.co/wordpress/112376/apt/solarwinds-backdoor-kill-switch.html?utm_source=feedly&utm_medium=rss&utm_campaign=solarwinds-backdoor-kill-switch

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-solarwinds-orion-could-allow-for-arbitrary-code-execution_2020-166/

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks#preventmalwaredelivery

https://github.com/fireeye/sunburst_countermeasures

https://www.spiegel.de/netzwelt/netzpolitik/solarwinds-hack-der-spionagefall-des-jahres-a-0b728cc4-d375-4cb9-9450-3635ca8172a0

Screen Shot 2025-05-14 at 18-b16a.png

Ellen Leipelt

Marketing Specialist

Published on 14.05.2025