Campaigns
SolarWinds

SolarWinds

SolarWindsGovernmentMicrosoftUSAVMWare
Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems

Indicators of Compromise

avsvmcloud.com
highdatabase.com
digitalcollege.org
thedoccloud.com
lcomputers.com
webcodez.com
virtualdataserver.com
seobundlekit.com
zupertech.com
incomeupdate.com
ervsystem.com
deftsecurity.com
infinitysoftwares.com
panhardware.com
freescanonline.com
databasegalore.com
websitetheme.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Rebuild impacted servers and start with a fresh updated install of SolarWinds Orion. Note: SOCRadar recommends this step even for organizations that are not believed to have been subject to secondary targeting.

Reset all credentials that may have been impacted in the organization and ensure new passwords are not similar to previous passwords. This would likely include all accounts in an active directory domain, to include user accounts, service accounts, etc.

Ensure that unique local administrative passwords are used on all devices; use a password management solution where possible.

Reset/replace/re-issue all sensitive API key integrations, such as those leveraged by multi-factor, SAML integrations, website configuration files, etc.

Reports & References1

Observed Countries3

CH (163)
TR (178)
US (621)