Solar Winds made unfortunate headlines over the past couple of days as the U.S. government announced that the network monitoring platform, Orion, is being used to attack U.S. federal agencies. The attack has been described as a sophisticated and targeted manual supply chain attack, and is believed to be backed by state-sponsored Russian hacker groups. The situation has already received attention in the international media, including a detailed blog post written by FireEye that provides a great technical summary.
The attack was initiated via compromised DLL file that was posted to the downloads section of the SolarWinds website. For those using that technology, mitigation is to immediately upgrade the software to the Orion Platform release 2020.2.1.HF 1. If the platform is being used to manage infrastructure, then a thorough review of network device configurations is highly recommended.
Why is this such a threat? The hacked software is used in large companies and governments and presents a significant risk of foreign spying.
Our interest in this hack stems from the way in which it initiated communications with the command-and-control server. Now, to be very clear, we’re still in the “fog of war” so we may learn new details about the hack in the coming days that change our perception. However, as of now it appears to use the DNS to reach out to a server and get a HTTP response on a randomized subdomain of avsvmcloud (dot) com. The query response then provides the malware command and control domain. With that information in hand, we took a look to see if there were any instances among our customer base in Canada. These are organizations using the CIRA DNS Firewall.
In the last 30 days, we can confirm no instances for that DNS query which suggests that, at least among our user base, that this domain is not being queried. This is at the time of publication and notably, it could be caught at another layer in their cybersecurity stack.
Looking at CIRA Canadian Shield, the free DNS security service we provide to Canadian households, the story is a little different. Here we have seen recent queries to this malicious domain originating from within Canada. While it would seem odd that a service designed for households would be using SolarWinds, it is a free open recursive service, so it is not a stretch to think some Canadian Shield "users" could be companies. Additionally, we don’t store user DNS data as part of our commitment to privacy, which is great for users but limits our ability to investigate further. Could it be a cybersecurity researcher testing? Could it be an actual threat firing inside an organization in Canada? The answer is unknown.
What we can say is that queries to this malicious domain are originating from Canada. It is a small number, from narrow geography but the frequency of the queries from individual IP addresses would suggest they are not a normal use pattern. We can’t look back historically to see if the threat has been present for a while, because that data is simply not stored with the free CIRA Canadian Shield service – a good reason why organizations need to use platforms designed for their needs like the CIRA DNS Firewall.
So what is an organization to do? Follow the recommendations that Fire Eye lays out. Remember the importance of layered security in protecting you from even highly engineered threats like this one. A service like CIRA’s DNS Firewall would have had a positive contribution in this scenario based on what we know right now.
This attack was very sophisticated in its execution and we can’t help but wonder what fallout will be next.