Expanse Reveals SolarWinds Exposures and Attacker Communications

The still-unfolding breach at SolarWinds could potentially affect more than 18,000 of its customers. On December 13th, SolarWinds announced that hackers had inserted malware into a service that provides software updates for its Orion platform which is used across the U.S. government and Fortune 500 firms to monitor the health of their networks.

The cyber research team from Expanse, a leading attack surface management company recently acquired by Palo Alto Networks, has leveraged capabilities in its Expander and Behavior products to identify instances of SolarWinds Orion visible on the perimeters of an organization. Additionally, Expanse is able to reveal communications from customers’ networks to infrastructure associated with the SUNBURST campaign.

Internet-Facing SolarWinds Orion Installations

Expanse developed an HTTP fingerprint of the Orion login page to automatically detect Internet-facing SolarWinds Orion installations running affected versions 2019.4 HF5, 2020.2, and 2020.2 HF 1.

In Expander’s Issues module, organizations can see instances of these publicly exposed SolarWinds Orion devices with additional details about the servers so they can rapidly triage and remediate the exposures.

Screenshot of the Issues module detailing SolarWinds Orion Platform that Expanse has identified.
Screenshot of the Issues module detailing SolarWinds Orion Platform that Expanse has identified.

 

Screenshot of details of a specific SolarWinds Orion Platform that Expanse has identified.
Screenshot of details of a specific SolarWinds Orion Platform that Expanse has identified.

 

Communications to Infrastructure Associated with the SUNBURST Campaign

Expanse also developed an automated method to detect flows from organizations’ networks to infrastructure associated with the SUNBURST campaign. Expanse’s Behavior offering uses global netflow data to monitor communications to and from organizations’ perimeters.

This new capability enables Behavior to flag flows from organizations’ network to infrastructure associated with the SUNBURST campaign using an Indicators of Compromise (IOC) list compiled from open sources.

With Expanse’s Behavior product, organizations can determine if their network has communicated with SUNBURST campaign IOCs for further investigation.

Screenshot of potentially risky communications on the Behavior platform associated with the SolarWinds Orion Platform.
Screenshot of potentially risky communications on the Behavior platform associated with the SolarWinds Orion Platform.

Learn more about how Palo Alto Networks is helping customers detect and remediate the SUNBURST malware. Unit 42’s SolarStorm Threat Brief can be found here.