We have brought many of the CDN hacks to your attention before but the latest detection shows that Solar Winds and many other security tools are being hacked by CDN's and or DNS manipulation. We don't know for sure if this played a role in what has occurred but it makes us wonder since we have seen this with other legitimate software and applications.
The same methods we use to protect networks is being used by adversaries to plant backdoors in legitimate software. We previously reported on other applications having issues in other blog post. See the list of warnings below. Until companies stop allowing this traffic, it's an open door that can't easily be blocked with traditional security solutions.
This is not the last time we will call out CDN downloads or the fact that they have been leveraged for years to infect tools that can do great harm to your organization.
Previous Warnings and Post (Related Content):
We noted many legitimate software applications being targeted and distributed through CDN's when users requested the download. It may in fact be the case that these backdoored applications were caused by access to GitHub repositories.
We will have more information on this soon but you should be looking at where your security tools are being downloaded to ensure that the hashes match the source files being downloaded.
Additional Reading: Related from The Guardian
IOCS
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
1b476f58ca366b54f34d714ffce3fd73cc30db1a
02af7cec58b9a5da1c542b5a32151ba1
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
47d92d49e6f7f296260da1af355f941eb25360c4
08e35543d6110ed11fdf558bb093d401
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
2f1a5a7411d015d01aaee4535835400191645023
2c4a910a1299cdae2a4e55988a2f102e
SolarWinds.Orion.Core.BusinessLayer.dll
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
d130bd75645c2433f88ac03e73395fba172ef676
846e27a652a5e1bfbd0ddd38a16dc865
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
76640508b1e7759e548771a5359eaed353bf1eec
b91ce2fa41029f6955bff20079468448
292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
c2c30b3a287d82f88753c85cfb11ec9eb1466bad
4f2eb62fa529c0283b28d05ddd311fae
OrionImprovementBusinessLayer.2.cs
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
75af292f34789a1c782ea36c7127bf6106f595e8
56ceb6d0011d87b6e4d7023d7ef85676
app_web_logoimagehandler.ashx.b6031896.dll
Customers can check for connections to avsvmcloud[.]com and request the other associated domains. This post will be updated at 12PM EST on Monday with additional domains of interest.
Update 12:55PM EST: Independent news organization are reporting that approximately 18,000 customers of Solar Winds have possibly been impacted. If this is confirmed, this is one of the largest single attacks in history.
Updated 15 Dec 2020 1:20AM EST: News and media organizations are reporting up to 33,000 customers may have been affected. We will continue monitoring these reports.
Updated 15 Dec 2020 4:00PM EST: Additional indicators added (see below).
deftsecurity[.]com
thedoccloud[.]com
freescanonline[.]com
avsvmcloud[.]com
mhdosoksaccf9sni9icp[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
k5kcubuassl3alrf7gm3[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
ihvpgv9psvq02ffo77et[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com
gq1h856599gqh538acqn[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
7sbvaemscs0mc925tb99[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
zupertech[.]com
websitetheme[.]com
panhardware[.]com
incomeupdate[.]com
highdatabase[.]com
databasegalore[.]com
51[.]89[.]125[.]18
5[.]252[.]177[.]25
5[.]252[.]177[.]21
204[.]188[.]205[.]176
139[.]99[.]115[.]204
appsync-api[.]us-west-2[.]avsvmcloud[.]com
appsync-api[.]us-east-2[.]avsvmcloud[.]com
appsync-api[.]us-east-1[.]avsvmcloud[.]com
appsync-api[.]eu-west-1[.]avsvmcloud[.]com
highdatebase[.]com
databasegalaore[.]com
13[.]59[.]205[.]66
54[.]193[.]127[.]66
54[.]215[.]192[.]52
34[.]203[.]203[.]23
204[.]188[.]125[.]18
167[.]114[.]213[.]199
virtualdataserver[.]com
webcodez[.]com
virtualwebdata[.]com
solartrackingsystem[.]net
seobundlekit[.]com
lcomputers[.]com
kubecloud[.]com
globalnetworkissues[.]com
digitalcollege[.]org
20[.]141[.]48[.]154
196[.]203[.]11[.]89
8[.]18[.]145[.]131
8[.]18[.]145[.]21
8[.]18[.]145[.]3
8[.]18[.]145[.]33
13[.]57[.]184[.]217
18[.]217[.]225[.]111
184[.]72[.]145[.]34
184[.]72[.]209[.]33
184[.]72[.]21[.]54
8[.]18[.]145[.]181
18[.]220[.]219[.]143
184[.]72[.]1[.]3
184[.]72[.]101[.]22
184[.]72[.]113[.]55
184[.]72[.]212[.]52
184[.]72[.]224[.]3
184[.]72[.]240[.]3
184[.]72[.]229[.]1
184[.]72[.]245[.]1
184[.]72[.]48[.]22
3[.]16[.]81[.]254
3[.]87[.]182[.]149
34[.]219[.]234[.]134
8[.]18[.]144[.]11
8[.]18[.]144[.]12
8[.]18[.]144[.]130
8[.]18[.]144[.]135
8[.]18[.]144[.]136
8[.]18[.]144[.]149
8[.]18[.]144[.]156
8[.]18[.]144[.]158
8[.]18[.]144[.]165
8[.]18[.]144[.]170
8[.]18[.]144[.]180
8[.]18[.]144[.]188
8[.]18[.]144[.]20
8[.]18[.]144[.]40
8[.]18[.]144[.]44
8[.]18[.]144[.]62
8[.]18[.]144[.]9
8[.]18[.]145[.]134
8[.]18[.]145[.]136
8[.]18[.]145[.]139
8[.]18[.]145[.]150
8[.]18[.]145[.]157
8[.]18[.]145[.]36
Additional Information and Reading:
Updated 17 December 2020
We told you that we started seeing these attacks in 2017. As it turns out, this was also observed from others in the community and it seems that it fell on deaf ears. We previously reported this type of activity to partners so they could research it. Unfortunately it's still ongoing today.
Additional Information and Reading:
Customers can request the additional domains and information on this event.
Please note that no additional updates will be made to this post. All information concerning this event will be added to our Threat Intelligence platform.