SolarWinds Orion Incident

Updated: Dec 19, 2020


We have brought many of the CDN hacks to your attention before but the latest detection shows that Solar Winds and many other security tools are being hacked by CDN's and or DNS manipulation. We don't know for sure if this played a role in what has occurred but it makes us wonder since we have seen this with other legitimate software and applications.


The same methods we use to protect networks is being used by adversaries to plant backdoors in legitimate software. We previously reported on other applications having issues in other blog post. See the list of warnings below. Until companies stop allowing this traffic, it's an open door that can't easily be blocked with traditional security solutions.


This is not the last time we will call out CDN downloads or the fact that they have been leveraged for years to infect tools that can do great harm to your organization.


Previous Warnings and Post (Related Content):

JS-006-17 - Trojaned CDN Bulletin

Follow Up Alert

Saudi Arabia Targeted

Verizon Media CDN Backdoors

Internet Explorer Backdoors


We noted many legitimate software applications being targeted and distributed through CDN's when users requested the download. It may in fact be the case that these backdoored applications were caused by access to GitHub repositories.


We will have more information on this soon but you should be looking at where your security tools are being downloaded to ensure that the hashes match the source files being downloaded.


Additional Reading: Related from The Guardian


IOCS

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

1b476f58ca366b54f34d714ffce3fd73cc30db1a

02af7cec58b9a5da1c542b5a32151ba1

53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7

47d92d49e6f7f296260da1af355f941eb25360c4

08e35543d6110ed11fdf558bb093d401

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

2f1a5a7411d015d01aaee4535835400191645023

2c4a910a1299cdae2a4e55988a2f102e

SolarWinds.Orion.Core.BusinessLayer.dll

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

d130bd75645c2433f88ac03e73395fba172ef676

846e27a652a5e1bfbd0ddd38a16dc865

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

76640508b1e7759e548771a5359eaed353bf1eec

b91ce2fa41029f6955bff20079468448

292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712

c2c30b3a287d82f88753c85cfb11ec9eb1466bad

4f2eb62fa529c0283b28d05ddd311fae

OrionImprovementBusinessLayer.2.cs

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

75af292f34789a1c782ea36c7127bf6106f595e8

56ceb6d0011d87b6e4d7023d7ef85676

app_web_logoimagehandler.ashx.b6031896.dll


Customers can check for connections to avsvmcloud[.]com and request the other associated domains. This post will be updated at 12PM EST on Monday with additional domains of interest.


Update 12:55PM EST: Independent news organization are reporting that approximately 18,000 customers of Solar Winds have possibly been impacted. If this is confirmed, this is one of the largest single attacks in history.

Updated 15 Dec 2020 1:20AM EST: News and media organizations are reporting up to 33,000 customers may have been affected. We will continue monitoring these reports.


Updated 15 Dec 2020 4:00PM EST: Additional indicators added (see below).

deftsecurity[.]com

thedoccloud[.]com

freescanonline[.]com

avsvmcloud[.]com

mhdosoksaccf9sni9icp[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com

k5kcubuassl3alrf7gm3[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com

ihvpgv9psvq02ffo77et[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com

gq1h856599gqh538acqn[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com

7sbvaemscs0mc925tb99[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com

6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com

zupertech[.]com

websitetheme[.]com

panhardware[.]com

incomeupdate[.]com

highdatabase[.]com

databasegalore[.]com

51[.]89[.]125[.]18

5[.]252[.]177[.]25

5[.]252[.]177[.]21

204[.]188[.]205[.]176

139[.]99[.]115[.]204

appsync-api[.]us-west-2[.]avsvmcloud[.]com

appsync-api[.]us-east-2[.]avsvmcloud[.]com

appsync-api[.]us-east-1[.]avsvmcloud[.]com

appsync-api[.]eu-west-1[.]avsvmcloud[.]com

highdatebase[.]com

databasegalaore[.]com

13[.]59[.]205[.]66

54[.]193[.]127[.]66

54[.]215[.]192[.]52

34[.]203[.]203[.]23

204[.]188[.]125[.]18

167[.]114[.]213[.]199

virtualdataserver[.]com

webcodez[.]com

virtualwebdata[.]com

solartrackingsystem[.]net

seobundlekit[.]com

lcomputers[.]com

kubecloud[.]com

globalnetworkissues[.]com

digitalcollege[.]org

20[.]141[.]48[.]154

196[.]203[.]11[.]89

8[.]18[.]145[.]131

8[.]18[.]145[.]21

8[.]18[.]145[.]3

8[.]18[.]145[.]33

13[.]57[.]184[.]217

18[.]217[.]225[.]111

184[.]72[.]145[.]34

184[.]72[.]209[.]33

184[.]72[.]21[.]54

8[.]18[.]145[.]181

18[.]220[.]219[.]143

184[.]72[.]1[.]3

184[.]72[.]101[.]22

184[.]72[.]113[.]55

184[.]72[.]212[.]52

184[.]72[.]224[.]3

184[.]72[.]240[.]3

184[.]72[.]229[.]1

184[.]72[.]245[.]1

184[.]72[.]48[.]22

3[.]16[.]81[.]254

3[.]87[.]182[.]149

34[.]219[.]234[.]134

8[.]18[.]144[.]11

8[.]18[.]144[.]12

8[.]18[.]144[.]130

8[.]18[.]144[.]135

8[.]18[.]144[.]136

8[.]18[.]144[.]149

8[.]18[.]144[.]156

8[.]18[.]144[.]158

8[.]18[.]144[.]165

8[.]18[.]144[.]170

8[.]18[.]144[.]180

8[.]18[.]144[.]188

8[.]18[.]144[.]20

8[.]18[.]144[.]40

8[.]18[.]144[.]44

8[.]18[.]144[.]62

8[.]18[.]144[.]9

8[.]18[.]145[.]134

8[.]18[.]145[.]136

8[.]18[.]145[.]139

8[.]18[.]145[.]150

8[.]18[.]145[.]157

8[.]18[.]145[.]36


Additional Information and Reading:

SolarWinds Bulletin

Fireeye Blog Post

CISA Directive


Updated 17 December 2020

We told you that we started seeing these attacks in 2017. As it turns out, this was also observed from others in the community and it seems that it fell on deaf ears. We previously reported this type of activity to partners so they could research it. Unfortunately it's still ongoing today.


Additional Information and Reading:

Solarwinds Default Password - Threatpost Commentary


Customers can request the additional domains and information on this event.

Please note that no additional updates will be made to this post. All information concerning this event will be added to our Threat Intelligence platform.

112 views0 comments

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2020 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business