Expanse Reveals SolarWinds Exposures and Attacker Communications

The still-unfolding breach at SolarWinds could potentially affect more than 18,000 of its customers. On December 13th, SolarWinds announced that hackers had inserted malware into a service that provides software updates for its Orion platform which is used across the U.S. government and Fortune 500 firms to monitor the health of their networks.

The cyber research team from Expanse, a leading attack surface management company recently acquired by Palo Alto Networks, has leveraged capabilities in its Expander and Behavior products to identify instances of SolarWinds Orion visible on the perimeters of an organization. Additionally, Expanse is able to reveal communications from customers’ networks to infrastructure associated with the SUNBURST campaign.

Internet-Facing SolarWinds Orion Installations

Expanse developed an HTTP fingerprint of the Orion login page to automatically detect Internet-facing SolarWinds Orion installations running affected versions 2019.4 HF5, 2020.2, and 2020.2 HF 1.

Continue reading…