SolarWinds Onion Shodan – Beware

Shodan SolarWinds Onion
Yesterday’s count of 1688 Orion systems open at @solarwinds Orion. They can be found on @shodanhq#SolarWinds Orion. Just use the http.favicon string. I will write a detailed blog post later.
Read more

Australian Government Background
Table of Contents
The ACSC issued an alert on 14 December 2020 regarding possible compromise of the SolarWinds Orion program. FireEye, a cyber security company, informed the ACSC about this alert. They were monitoring a global intrusion campaign that could compromise the SolarWinds Orion supply chain.
The ACSC received reports from Australian organizations stating that they were using vulnerable versions of SolarWinds Orion as of 25 January 2021. No follow-on compromise of an Australian organization through SolarWinds Orion to date has been detected.
SolarWinds Orion was compromised, which meant that some organisations may have accidentally installed malicious updates through their normal updates. SUNBURST is the name of the malicious software (malware), that was associated with the supply chain compromise.
SUNBURST was identified. Additional malware that was associated with the SolarWinds Orion supply-chain compromise has also been discovered. These malware are often referred to as TEARDROP or RAINDROP. They were discovered during investigations into follow-on compromises of affected organizations.
Additional malware was discovered to be targeting SolarWinds Orion during investigations into the supply chain compromise. This second set is being called SUPERNOVA. SUPERNOVA malware does not appear to be connected to the supply chain compromise. Instead, it targets a different vulnerability in SolarWinds Orion.
SolarWinds has issued patches for affected SolarWinds Orion models after it was discovered that the vulnerability had been exploited.
ACSC recommends that you apply the most recent patches to SolarWinds Orion as soon as possible to mitigate potentially vulnerable versions. This recommendation is applicable to both the SUPERNOVA and SUNBURST malware.
ACSC recommends that vulnerable SolarWinds Orion instances are isolated from the internet and internal networks connections minimized if immediate patching is not feasible.
Additional information and tools
The US Cyber security and Infrastructure Security Agency has published a series of alerts about detection and mitigation potential compromises of SolarWinds Orion. These alerts include CISA and third party tools that could aid in detection of follow-up compromises through SolarWinds.
The ACSC encourages all organizations to continue to assess and use the Essential Eight strategies to safeguard their systems.
The ACSC is monitoring the situation. They can provide advice and assistance as needed. Contact the ACSC at 1300 CYBER1 if you have any questions or need assistance.
SolarWinds Onion ShodanWhy the SolarWinds Orion Platform
The SolarWinds(r), Orion(r), Platform is a powerful and scalable infrastructure monitoring platform that simplifies IT administration for hybrid and on-premises environments. It can be accessed through one pane of glass.
The Orion Platform consolidates all of the monitoring capabilities into one platform. It also integrates cross-stack functionality, so there’s no need for you to deal with incompatible products.
The SolarWinds hack timeline: Who knew when and what?
Credit : ARN
Impact, detection, response and ongoing fallout from the attack against SolarWinds’ Orion remote management software.
The details of the 2020 SolarWinds attack are still being worked out, and it could be years before the final damages are tallied.
It is a good idea.