SolarWinds has been in the news due to the hack of their servers. It is unclear how far back the compromise goes. The only product I have used from them is their free TFTP server. Has the "fingerprint" of the compromise been documented to allow determination if a specific download is affected? Are the compromised files now detectable with commercial virus/malware scanners?
Asked
Active
Viewed 772 times
1 Answers
2
The SolarWinds cyberattack was a supply chain attack. The nation-state threat actor(s) gained access to the SolarWinds Orion build system and added a backdoor to a legitimate Orion DLL, namely SolarWinds.Orion.Core.BusinessLayer.dll. This DLL was then distributed to SolarWinds customers via their automatic update platform used to push out new software updates. This DLL is loaded by SolarWinds.BusinessLayerHost.exe. The free SolarWinds TFTP Server does not use this update mechanism.
To date, the free TFTP server is not listed by SolarWinds as compromised. See https://www.solarwinds.com/securityadvisory for detailed information.
IOCs can be found at https://github.com/sophos-cybersecurity/solarwinds-threathunt and elsewhere.
fpmurphy
- 841
- 6
- 13
-
Thanks - although the TFTP server is not included in the "NOT KNOWN TO BE AFFECTED" listing in the advisory, there is a note at the bottom that says "We have also found no evidence that any of our free tools... are impacted" – tim11g Dec 22 '20 at 19:13