No other products were identified to contain malicious code similar to the one found in the Orion platform, IT software company SolarWinds said on Tuesday.
The company’s assertion comes after it carried out an internal audit of all its applications after news broke on Sunday that Russian state-sponsored hackers breached its internal network and inserted malware inside Orion, a network monitoring and inventory platform.
The malware, named SUNBURST (or Solorigate), was inserted in Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
“We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our other products contain those markers,” the company said today.
“We have also found no evidence that our SolarWinds MSP products, including RMM and N-central, and any of our free tools or agents contain the markers mentioned above,” it added in an update to a security advisory it initially published on Sunday.
But while SolarWinds was happy that the malware didn’t make its way into other products, the fact that it made it into Orion, one of its most popular offerings, was more than enough.
In SEC filings on Monday, SolarWinds said that of its 300,000 total customers, more than 33,000 used the Orion platform, and about 18,000 downloaded the malware-laced versions.
However, hackers didn’t bother accessing the networks of all these companies; instead, only restricting themselves to breaking into a few selected targets. At the time of writing, the list of known victims hacked by using the Orion platform as an entry point includes the likes of:
US cybersecurity firm FireEyeThe US Treasury DepartmentThe US Department of Commerce’s National Telecommunications and Information Administration (NTIA)The Department of Health’s National Institutes of Health (NIH)The Cybersecurity and Infrastructure Agency (CISA)The Department of Homeland Security (DHS)The US Department of State
New Orion update released today to remove malware components
Currently, SolarWinds is in damage control mode and is trying to restrict the extent of the hack. The company has worked since last week to put together a new Orion app update that removes any traces of the malware from infected systems.
Although the hackers stopped inserting their malware inside the Orion binaries since June and subsequent Orion updates were clean, pieces of the SUNBURST malware remained on infected systems and could have been abused for future attacks.
This risk was also mitigated today when Microsoft and a coalition of tech and government partners intervened to seize the malware’s command and control server.
Although their string obfuscation techniques were anything but special, their codebase and domains successfully evaded security scrutiny for nearly a year ¯_(ツ)_/¯. Here are screenshots of some CryptoHelper and ZipHelper classes and methods. pic.twitter.com/8iZnAezfpQ
— Kyle Hanslovan (@KyleHanslovan) December 15, 2020
SolarWinds is now asking customers to update to versions 2019.4 HF 6 and 2020.2.1 HF 2 to replace the Orion malware-laced components with clean versions and eliminate any threat.
The move comes just in time as Microsoft also announced plans to put known malicious Orion app binaries in quarantine starting tomorrow, Wednesday, December 16, which would have most likely resulted in unexpected crashes for Orion app users.