** We will update this article with additional information as it becomes available. Check back regularly for further updates. **
SolarWinds, an IT monitoring specialist, reported last Sunday that it had fallen victim to a “highly-sophisticated, manual supply chain attack … likely by a nation state.”
The compromised products are SolarWinds Orion versions 2019.4 through 2020.2.1.
How to identify if you are running an impacted SolarWinds Orion version?
Sophos customers can identify whether they are running a vulnerable version in multiple ways:
Sophos MTR customers
The MTR team is actively reviewing all protected customer environments and will contact any affected customers directly to discuss remedial action.
Sophos EDR customers
EDR customers can run the dedicated query below to hunt for affected versions (updates will be posted here):
SELECT
name,
version,
install_location,
publisher,
uninstall_string,
install_date
FROM programs where name like ‘SolarWinds Orion%2020.2’ or name like ‘SolarWinds Orion%2020.2.1%’ or name like ‘SolarWinds Orion%2019.4%’;
Additionally, EDR customers can look for the following malicious DLL SHA256 Hashes:·
- 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
- eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
- c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
- ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
- d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
Anyone not using Sophos EDR can activate a 30-day free trial and run the query across your estate:
All Sophos customers
SophosLabs has published detections for the initial components as:
- Troj/Agent-BGGA
- Troj/Agent-BGGB
- Troj/Agent-BGFZ
If you see one or more of these detections, you are impacted.
SophosLabs is continuing to investigate the attack and will be providing additional protection as necessary. Please monitor this location for further updates.
We are also in the process of revoking trust on the compromised SolarWinds certificate used in these attacks.
What do to if you are impacted
If you are running a vulnerable version, we recommend that you isolate the affected SolarWinds servers from the network.
We also recommend rebuilding all impacted SolarWinds servers and installing Orion Platform version 2020.2.1 HF 2 once released. See https://www.solarwinds.com/securityadvisory for more details.
We will be releasing further incident response guidance shortly. Contact your security team or partner for advice and support where needed.
Sophos and SolarWinds
Sophos is a SolarWinds customer. We have isolated the instances and we are actively investigating this incident. We will provide further updates shortly.