Compromised updates for Solarwinds Orion are making headlines for containing malware. The updates available from March through May of this year appear to have contained a very elusive and adaptable trojan that FireEye has dubbed the SUNBURST Backdoor. FireEye has published a great write-up on the attack here along with Indications of Compromise. Please be sure to read through both if you or your organization may have ever run Solarwinds Orion versions 2019.4 through 2020.2.1 HF1.
This is a frightening example of a supply side attack where an action that is normally thought of as mitigating risk, (performing an update), was weaponized against high value targets by bad actors. The behavior detailed by FireEye and further by Splunk in this article on detecting potentially compromised hosts seems perfectly tailored for an Advanced Persistent Threat. The trojan was configured to patiently wait hours or even days between scans based on the environment it found itself in. We can almost certainly expect to hear more in the coming days and weeks on the true scope of this attack and how just many organizations may have been exposed.
Additional reading here on the developing story is available here: