DETAILED INFORMATION ON INTRUSION PREVENTION SIGNATURE (IPS) SIGNATURE IDS

DESCRIPTION:

The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, specifically affecting versions 2019.4 through 2020.2 HF1.

The threat actor primarily leverages a malware commonly known as SUNBURST to conduct a global supply-chain attack against the SolarWinds Orion platform. SolarWinds Orion is an enterprise-grade IT monitoring solution.

SolarWinds has confirmed the vulnerability and has asked impacted customers using Orion to immediately upgrade to 2019.4 HF 6 or 2020.2.1 HF 1. Please visit www.solarwinds.com/securityadvisory for more information about your Orion upgrade options.

Both SolarWinds and the CISA strongly suggest that organizations using SolarWinds Orion verify the version they’re running and upgrade immediately, if required.

SonicWall Capture Labs threat researchers have investigated the vulnerability and published four signatures that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions:

• 15292: BACKDOOR SolarWinds Supply Chain Malware Activity 1
• 15293: BACKDOOR SolarWinds Supply Chain Malware Activity 2
• 15294: BACKDOOR SolarWinds Supply Chain Malware Activity 3
• 15295: BACKDOOR SolarWinds Supply Chain Malware Activity 4
• 15296: BUSINESS-APPS SolarWinds Orion (API Activity)
• 2014: BUSINESS-APPS SolarWinds Orion (Update Activity)

SonicWall products and real-time security services can help organizations identify SUNBURST malware and other attacks against vulnerable SolarWinds Orion versions.

To verify you have the latest SonicWall Intrusion Prevention Signatures (IPS), please follow the steps in this knowledge base (KB) article: https://www.sonicwall.com/support/knowledge-base/detailed-information-on-intrusion-prevention-signature-ips-signature-ids/170505742887527/

SonicWall also has confirmed it is not using a vulnerable SolarWinds Orion product and is not impacted by this threat.