Dealing with the SolarWinds Orion compromise

This guidance is intended for all users of the SolarWinds Orion suite of network and IT management tools, who should undertake the following steps without delay.

These actions should be executed by technical personnel experienced with the SolarWinds Orion software suite.

1. Check if you have any products from the SolarWinds Orion suite, specifically versions 2019.4 HF 5, 2020.2 without hotfix, and 2020.2 HF 1. For detailed product information, refer to the SolarWinds advisory.
2. If feasible, review logs from any internet web proxy, DNS proxy, or firewall for connections to the legitimate SolarWinds update site at downloads.solarwinds.com. This may assist in identifying potential Orion Suite products. (Note that this may also reveal any SolarWinds products, not solely those from the Orion Suite).
3. Upon identifying any Orion Suite products, check for a file named SolarWinds.Orion.Core.BusinessLayer.dll and create a SHA-256 hash of the file. Use the Powershell command Get-FileHash for this purpose. You can then upload the hash to VirusTotal to see if it has been flagged as malicious. If it is flagged, it indicates that your copy of SolarWinds has maliciously modified functionality. This DLL is known as SUNBURST by FireEye.
4. Inspect any internet web proxy, DNS proxy, or firewall logs for connections to any sub-domain of avsvmcloud[.]com (which is associated with command and control for the initial backdoor).
5. FireEye provides technical detection guidelines for the malicious DLL (referred to as SUNBURST). If you can, execute these checks.

1. If you identify that you have a version of the SolarWinds Orion suite that includes 2019.4 HF 5, 2020.2 without hotfix, or 2020.2 HF 1, it is crucial to isolate the server from the internet immediately, as an attacker may have compromised this software.
2. Post-isolation, if your affected system contains the SUNBURST DLL file and if you resolved api.solarwinds.com before lockdown (especially if queries to avsvmcloud[.]com were evident), this suggests that unknown malicious software has executed on your server. You should respond accordingly (see ‘In all cases’ below). However, if your host has the SUNBURST DLL but did not resolve api.solarwinds.com, your defense measures prevented the malicious software from connecting to its control server. Nonetheless, updating to a trusted version of the Orion product is advised (consult the SolarWinds advisory for specific details).
3. As investigations into this incident evolve, the NCSC has limited knowledge on the exact activities attackers may have performed on impacted systems. One known method involves deploying a payload referred to as TEARDROP. You can search for TEARDROP on the compromised device by looking for a file named “C:WINDOWSSysWOW64netsetupsvc.dll”.
4. If the file “C:WINDOWSSysWOW64netsetupsvc.dll” is discovered in the expected location, please reach out to the NCSC promptly via https://report.ncsc.gov.uk/ for further support.

1. Any hosts that have at any time operated with an affected version of SolarWinds Orion may have experienced a compromise. If you locate the mentioned DLL or DNS queries, your system has unquestionably executed code originating from an attacker. Organizations should adhere to their internal protocols for addressing a suspected server compromise.

2. Consider implementing measures such as:

• Resetting any credentials that were accessible to the server
• Identifying any unusual activities that the server or accounts logged into the server may have executed
• Investigating any other suspicious occurrences. Specifically, monitor for remote accesses by legitimate accounts originating from IP addresses belonging to virtual server hosting services.

3. After thorough investigation, ensure to update your affected products as per SolarWinds guidance. Consider a complete rebuild of the SolarWinds host as part of your remediation efforts.