Go back to All Blog posts

Assessing Your Exposure To The SolarWinds SUNBURST Cyberattack

Jonathan Lebowitsch
January 14th, 2021
Assessing Your Exposure To The SolarWinds SUNBURST Cyberattack

It took stealing the crown jewels of one of the leading cyber security companies – the offensive hacking tools of FireEye – for anyone to detect what’s shaping up to be a truly watershed cyberattack.

The SolarWinds Sunburst Attack Is Noteworthy For At Least Three Reasons:

  1. The prominence of its known victims: security companies, federal agencies, etc.
  2. The state-of-the-art techniques and skills that allowed the attackers – most likely belonging to a Russian state-sponsored group – to breach SolarWinds’ Orion build process, insert an undetected malicious component into Orion’s updates and subsequently use the malware – now deployed on customers’ Orion servers – to patiently, stealthily, over many months, discover their victims, increase their foothold within their networks, and exfiltrate their data.
  3. It is the largest Supply Chain attack published so far. That is, the attackers sought and found a major technology supplier and by breaching it, they got access deep into the networks of most of its customers.

IONIX’s View Of The SolarWinds Supply Chain

IT organizations can and must have visibility into their exposure to any its vendors. That is, customers should have systems in place that are able to inventory, at any given time, what solutions, products and technologies are deployed where. These inventories will be critical in following federal guidelines and shutting down compromised, or potentially compromised, instances.

Based on our experience and analysis many organizations do not have this inventory available. Organizations are struggling to keep tabs on their inventory and lack external attack surface visibility. This situation applies in the case of deployments of SolarWinds Orion (and other SolarWinds products and services).

Through our attack surface discovery solution, we’re seeing hundreds of SolarWinds Orion instances, some deeply misconfigured, with strong indicators (independently verified by the customers we contacted) of being unmanaged and deployed as shadow IT.

Organizations Are Unware Of Every SolarWinds Orion Instance Installed In Their Infrastructure

It could be a recent acquisition of a company that used the system or an instance that was created as part of POC (in some of them, the default credentials were used). Furthermore, some of the companies in whose networks we detected these exposed SolarWinds Orion instances are themselves supply-chain vendors with thousands of customers. This means that the exposure to the risks of this attack lie further beyond SolarWinds and its customers and extends to customers of customers, and beyond.

Due to the gravity of this cyberattack, and the many unknowns still surrounding the scope of its victims, we’re offering our online SolarWinds discovery free of charge.

When you request a scan:

  1. We will scan your public-facing network for the existence of SolarWinds Orion instances as well as instances of, or connections to, other SolarWinds products and services.
  2. Based on a limited discovery of the requestor’s attack surface, it will assess the risk due to connections to third-party vendors that are exposed to the SolarWinds attack.

Results, and scan report are delivered within 3 days.


Discover the full extent of your online exposure so you can protect it.