There are multiple vectors for a supply chain attack, the malicious update being one of the worst. This is about as subversive as an adversary can employ on the software side of Cyber Supply Chain.
We have been looking at the recent attack on multiple agencies and Fireeye. This could be one of the most serious cyber supply chain attacks in history! According to several reports the issue is with the b91ce2fa41029f6955bff20079468448 SolarWinds.Orion.Core.BusinessLayer.dll Dynamic Link Library. We have looked at the code from a Supply Chain perspective.
34e9e373b21e8d8f0051f8c88e10008d BigintOverflowFix.sql
b03dcbc2ba9114b09c04ea24c9c63321 ClearOldDataFromDetailAndHourlyTables.sql
60222d9d1766ca72eb7aa2aa79b76fad ConfigurationWizard.exe
79b811614f6e733192271ae8cee7db7e ConfigurationWizard.exe.config
8f9360404210799ebae3731dfc5dd93d Core_Linux_2019.4.5200.9083.apkg
a42d681ac61a4fa1d85f5812aaddd7a4 Core.Settings.json
5026956e672613583a1fa4853f792301 dbsetup_pretimeseriesorder.txt
a6a7552de53fb9011297fd8bec604d4e Interop.NetFWTypeLib.dll
c96d6e4342ffe7bcaea1abd744f084fd Interop.olelib.dll
39b3853848d7d01ff752c96e709dbae6 Interop.OrionSWScheduler8.dll
b93e78593460cdddefcc44d6e51c86ba Interop.TaskScheduler.dll
c9799173b23ae28cfa58168ddc46e3fa IS2.SolarWinds.Orion.Core.Common.dll
572f3ab5036cc50e6e245c1ef1d084d9 IS3.SolarWinds.Data.Providers.Orion.Containers.v3.dll
943d50919c7a8df571cd500e0a418a67 IS3.SolarWinds.Data.Providers.Orion.v3.dll
c9799173b23ae28cfa58168ddc46e3fa IS3.SolarWinds.Orion.Core.Common.dll
be8fb541d3c916b4d91f59f331a62d41 ISv2.SolarWinds.Orion.Swis.PubSub.dll
be8fb541d3c916b4d91f59f331a62d41 ISv3.SolarWinds.Orion.Swis.PubSub.dll
2241d9333baa0b61b95efaf5c70144ea NetPerfMon_WebSite.precompiled.zip
0b9c58cbcf1bb2476b149c43d071959e NetPerfMon_WebSite.zip
b917980a6dad722a4970c7c326c6db9b OrionCoreDatabaseScheme.dbConfig
7905e0abd29412f11bb37c02aa370cc3 OrionWeb.dll
423238911cb6be14866f815f7f234dca Orion.xml
f4c561e087aaa20e676aca2f5dfe516a PM_2019.4_Patch.zip
7392101b7b29b0d976db655cd6b08a18 SolarWinds.ConfigurationWizard.Plugin.Common.dll
6a2c2a4d0b3b79ffd115d7f7b6ce8a8c SolarWinds.ConfigurationWizard.Plugin.Orion.dll
b5ab5b5a7c2e2421680f5f8b6ba86e84 SolarWinds.Database.TimeSeries.Contracts.dll
db61b8bcf5b44b790dd99f6a6c5eedd7 SolarWinds.Database.TimeSeries.dll
b12c00167341703faa428ec806ba9cc3 SolarWinds.Data.Entity.dll
c0c4fb268f5f931e453aa540c435947e SolarWinds.Orion.BusinessLayer.dll._OIL.vb
b91ce2fa41029f6955bff20079468448 SolarWinds.Orion.Core.BusinessLayer.dll
510af37d73ab0378ec8c62c820536525 SolarWinds.Orion.Core.BusinessLayer.dll.config
73a207c34cdf8f63eb9ef5252aba7022 SolarWinds.Orion.Core.Collector.dll
c9799173b23ae28cfa58168ddc46e3fa SolarWinds.Orion.Core.Common.dll
0943bf039fadeec49f48ea488ce0225c SolarWinds.Orion.Core.Strings.dll
4010fef59f8aa41b476306095a6eb970 SolarWinds.Orion.Core.Strings.resources.dll.de.file
4f27bace92d5f0fd4122e90f405d736c SolarWinds.Orion.Core.Strings.resources.dll.ja.file
be8fb541d3c916b4d91f59f331a62d41 SolarWinds.Orion.Swis.PubSub.dll
123878cf5bb61c095369bad5b72bc516 Solarwinds.Settings.dll
24c5cdcd69ed8466eda14e8ced59bdba taskschd.dll
c1c201388736053e9a883867dd5aba79 Toolset_2019.4_Patch.zip
a56b277160c716b1454e8fa3a7322393 TruncateFirstAndLastPartitions.sql
Can use local credentials for proxies.
IHttpProxySettings instance = (IHttpProxySettings) HttpProxySettings.Instance; Strings encoded with base64 operations using UTF8 encoding.
Encoding.UTF8.GetString(XXXXXXXX.ZipHelper.Decompress(Convert.FromBase64String(input)));Base64 strings extracted from Code
C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAA==
c0ktTi7KLCjJzM8DAA==
83V0dkxJKUotLgYA
c/FwDnDNS0zKSU0BAA==
c/FwDghOLSpLLQIA
c/EL9sgvLvFLzE0FAA==
c/ELdsnPTczMCy5NS8usCE5NLErO8C9KSS0CAA==
c/ELDk4tKkstCk5NLErO8C9KSS0CAA==
8wxwTEkpSi0uBgA=
8wwILk3KSy0BAA==
c0lNSyzNKfEMcE8sSS1PrAQA
C07NSU0uUdBScCvKz1UIz8wzNor3L0gtSizJzEsPriwuSc0FAA==
c04sKMnMzwMA
;8w92LErOyCxJTS4pLUoFAA==
;88wrLknMyXFJLEkFAA==
;8y9KT8zLrEosyczPAwA=
;C0pNzywuSS1KTQktTi0CAA==
C0stKs7MzwMA
i3aNVag2qFWoNgRio1oA
8/B2jYz38Xd29In3dXT28PRzjQn2dwsJdwxyjfHNTC7KL85PK4lxLqosKMlPL0osyKgEAA==801MzsjMS3UvzUwBAA==
MzTQA0MAMzI11TMAQQA=
MzQ30jM00zPQMwAAMzI11TMyMdADQgA=
M7Q00jM0s9Az0DMAAA==MzI11TMCYgM9AwA=
MzIy0TMAQQA=MzIx0ANDAA==
S0s2MLCyAgA=S0s1MLCyAgA=
S0tNNrCyAgA=S0tLNrCyAgA=
S0szMLCyAgA=S0szMLCyAgA=
MzHUszDRMzS11DMAAA==MzI11TOCYgMA
MzfRMzQ00TMy0TMAAA==MzI11TMCYRMLPQMA
MzQ10TM0tNAzNDHQMwAAMzI11TOCYgMA
MzI01zM0M9Yz1zMAAA==MzI11TOCYgMA
MzLQMzQx0ANCAA==MzI11TMyNdEz0DMAAA==
szTTMzbUMzQ30jMAAA==MzI11TOCYgMA
MzQ21DMystAzNNIzAAA=MzI11TMCYyM9AwA=
MzQx0bMw0zMyMtMzAAA=MzI11TOCYgMA
s9AztNAzNDHRMwAAMzI11TMCYxM9AwA=
M7TQMzQ20ANCAA==MzI11TMCYgM9AwA=
MzfUMzQ10jM11jMAAA==MzI11TOCYgMA
s7TUM7fUM9AzAAA=MzI11TMCYgM9AwA=
szDXMzK20LMw0DMAAA==MzI11TMCYRMLPQMA
M7S01DMyMNQzNDTXMwAAMzI11TOCYgMA
M7Qw0TM30jPQMwAAMzI11TMyNdEz0DMAAA==
07DP1NSIjkvUrYqtidPUKEktLoHzVTQB
07DP1NQozs9JLCrPzEsp1gQA
C0otyC8qCU8sSc5ILQpKLSmqBAA=
C0otyC8qCU8sSc5ILQrILy4pyM9LBQA=
SyzI1CvOz0ksKs/MSynWS87PBQA=
SywrLstNzskvTdFLzs8FAA==
SywoKK7MS9ZNLMgEAA==
Sy3VLU8tLtE1BAA=
Ky3WLU8tLtE1AgA=
Ky3WTU0sLtE1BAA=
Ky3WTU0sLtE1AgA=
M7UwTkm0NDHVNTNKTNM1NEi10DWxNDDSTbRIMzIwTTY3SjJKBQA=
8/B2jYx39nEMDnYNjg/y9w8BAA==8/B2DgIA
8/B2jYx3Dg0KcvULiQ8Ndg0CAA==8/B2DgUA
8/B2jYz38Xd29In3dXT28PRzBQA=8/D28QUA
8/B2jYwPDXYNCgYA8/AOBQA=
8/B2jYx3Dg0KcvULiXf293PzdAcA8/B2dgYA
8/B2jYwPcA1y8/d19HN2jXdxDHEEAA==8/AOcAEA
8/B2jYx3ifSLd3EMcQQA8/B2cQEA
C9Y11DXVBQA=
0zU1MAAA
c0zJzczLLC4pSizJLwIA
C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEA
C/Z0AQA=
88lPTsxxTE7OL80rAQA=KykqTQUA
C04NSi0uyS9KDSjKLMvMSU1PBQA=
C04NScxO9S/PSy0qzsgsCCjKLMvMSU1PBQA=
C44MDnH1BQA=
MwEA
MwUA
MwYA
C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==
C0gsyfBLzE0FAA==
C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=
Cy5JLCoBAA==
Cy5JLCoBAA==
C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=
Cy5JLCoBAA==
Cy5JLCoBAA==
i6420DGtjVWoNqzlAgA=
C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgA=
c08t8S/PSy0CAA==
i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA=CyjKT04tLvZ0AQA=80vMTQUA
c0zJzczLLC4pSizJLwIA
qzaoVag2rFXwCAkJ0K82quUCAA==
U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA
80zT9cvPS9X1TSxJzgAA
{UyotTi3yTFGyUqo2qFXSAQA=UypOLS7OzM/zTFGyUqo2qFXSAQA=
{UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEAU/LMS0mtULKqNqjVAQA=
SywoyMlMTizJzM/TzyrOzwMA
SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA=
0y3Kzy8BAA==
001OLSoBAA==
0y3NyyxLLSpOzIlPTgQA
001OBAA=
0y0oysxNLKqMT04EAA==
0y3JzE0tLknMLQAA
003PyU9KzAEA
0y1OTS4tSk1OBAA=
K8jO1E8uytGvNqitNqytNqrVA/IA-
c8rPSQEA
c8rPSfEsSczJTAYA
c60oKUp0ys9JAQA=
c60oKUp0ys9J8SxJzMlMBgA=
8yxJzMlMBgA=
88lMzygBAA==
88lMzyjxLEnMyUwGAA==
C0pNL81JLAIA
C07NzXTKz0kBAA==
C07NzXTKz0nxLEnMyUwGAA==
yy9IzStOzCsGAA==
y8svyQcA
SytKTU3LzysBAA==
C84vLUpOdc5PSQ0oygcA
C84vLUpODU4tykwLKMoHAA==
C84vLUpO9UjMC07MKwYA
C84vLUpO9UjMC04tykwDAA==
S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggAS8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=
C87PSSwKz8xLKQYA
03POLypJrQjIKU3PzAMA
0/MvyszPAwA=
C88sSs1JLS4GAA==
C/UEAA==
C89MSU8tKQYA
8wvwBQA=
cyzIz8nJBwA=
c87JL03xzc/LLMkvysxLBwA=
88tPSS0GAA==
C8vPKc1NLQYA
88wrSS1KS0xOLQYA
c87PLcjPS80rKQYA
Ky7PLNAvLUjRBwA=06vIzQEA
Ky7PLNB3LUvNKykGAA==
Ky7PLNAPLcjJT0zRSyzOqAAA
881MLsovzk8r0XUuqiwoyXcM8NQHAA==
C87PSSwKz8xLKfYvyszP88wtKMovS81NzStxzskEkvoA
i/EvyszP88wtKMovS81NzSuJCc7PSSwKz8xLKdZDl9NLrUgFAA==
M9YzAEJjCyMA
Kyo0Ti9OzCkxKzXMrEyryi8wNTdKMbFMyquwSC7LzU4tz8gCAA==
M4jX1QMA
K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA==
0403AAA=
C04NzigtSckvzwsoyizLzElNTwUA
IP helper IP