SolarWinds Orion Breach Research Research & Papers

15 December 2020

It recently been highlighted within the wider computer security industry that SolarWinds products are a supply chain risk. Specifically, the Orion platform are critically vulnerable to a remote attack known as “SUNBURST Backdoor” due to some legitimate products from the orgnisation being trojanised with malware during an update permitting a back door into orgnasitation's networks and the data contained on the platform.

The SolarWinds Orion product is used to monitor and optimise IT infrastructure in a large-scale environment, like that at most government and critical national infrastructure entities. The tools look at which devices and processes are using the most resources and either make sure those resources are available or help IT managers resolve potential issues, as well as being used as a configuration repository for device settings for backup and restore.

The attacks targeted Orion software versions 2019.4 HF 5 through 2020.2.1 the versions released between March 2020 and June 2020.

IOC related to this issue have been identified as being:

·        [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]

·        [C:\WINDOWS\SysWOW64\netsetupsvc.dll]

Other indicators related to this issue have been shared by FireEye who have provided two Yara rules to detect TEARDROP attack, Post Compromise Activity which is available from their GitHub ( as well as some clamAV and SNORT rules. It is advisable that orgnisations have searched out and removed these instances from there estate to eradicate the threat.


AMR CvberSecurity highly recommends that your SolarWinds representative is contacted to source and apply the available system patches that remediates this vulnerability to secure your infrastructure. At the time of writing SolarWinds stated that Orion software, 2020.2.1 HF 1, is available through the customer portal.

More information about the risks above is available from the following sources:




MITRE ATT&CK Techniques Observed

No alt text provided for this image

AMR Cybersecurity Services

The protective measures highlighted in the previous section are not exhaustive just a high-level overview of the security controls that can be adopted and layered by an organisation. AMR CyberSecurity can expand and highlight additional controls based on the bespoke requirements of an organisation, as well as testing, benchmarking, and auditing existing controls.


AMR Cybersecurity as a 360-security organisation can offer the following services to aid against the ransomware threat:

·        Organisation External Assessment: This involves scanning OSINT resources and data sources to identify the external and publicly accessible digital footprint of your organisation. Then performed a vulnerability assessment against these domains, ingress points and portals, IP address and networks simulating a real-world attacker.

·        IT Device Security Configuration review and gap analysis: This service benchmarks the configuration of your IT hardware assets against known industry best practices, guidelines, and security standards to identify deviations and area that can be security hardened.

·        Red Teaming and Phishing exercise: This service is a goal/object-oriented penetration assessment aiming to leverage access from the outside to the inside of your organisation, subverting security controls and highlighting the real-world impact of Intellectual Property acquisition and key asset compromise.

·        Domain and user security review: This service involved parsing your organisation domains, defined user groups and roles and auditing them for security weaknesses (in password management and controls) as well as group permissions and access throughout the estate.

·         Incident Response Planning Assessments: These are tabletop exercises with your department heads and key stakeholders to simulate specific threats to your organisations working through your Incident Response process and disaster recovery plans to identify gaps and areas for improvement. Additionally, this product works as a valuable training internally preparing personnel in the key steps and process (clarifying the roles and responsibilities of both staff and third parties) to steer the organisation though an event to system recovery.



Registered address
AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
© 2024 AMR CyberSecurity ยท Registered Company Number: 11551941