Now that the activity on this seems to be slowing down, it’s probably worth a bit of discussion on what we’ve put in BigFix.me and why there are two distinct methods (so far).
From the top post in the thread, we have
The two Fixlets are checks for the affected DLL files, in the paths where we expect they probably reside. The compromised netsetupsvc.dll, if it exists, would be in \Windows\syswow64. That’s a static path and easy to check. The SolarWinds.Orion.Core.BusinessLayer.dll file, however, would be in the installation directory of SolarWinds, which can be customized at installation time. We made a stab at several different paths, including the “Program Files” and “Program Files (x86)” folders on all drive letters, as well as the “SolarWinds” folder on all drive letters.
If you have SolarWinds installed in one of those paths, this detection should be sufficient. However it does not scan through any other directory structures, as that kind of full-system scan is very expensive to do in Relevance.
To handle cases where SolarWinds might be installed in a non-default path we don’t anticipate, one can run the “Alternate Method” probe -
The “Alternate Method” is in two parts. First, there’s a Task that must be run on the system. The action of this task scans all fixed hard drives, searching for the ‘SolarWinds.Orion.Core.BusinessLayer.dll’ file in all drive paths, as well as the ‘netsetupsvc.dll’ file at \Windows\SysWOW64. The scan runs in its own batch file from the CMD shell, so it’s not throttled by the BigFix client’s CPU throttle and retrieves the list of files much more quickly than a native relevance statement like ‘descendants of folders()’. The file list is saved to an output file that is parsed by the Analysis.
The accompanying Analysis identifies the file paths found by the scan, compares the “SolarWinds.Orion.Core.BusinessLayer.dll” to a list of known-bad hash values, and if one of those bad hashes matches, the file details are presented by the Analysis. The details include file path, size, modification time, version, and the md5, sha1, and sha256 hashes of the file.
The second method is more likely to find affected components when they are installed in non-default paths, but have the overhead of requiring an Action to be taken before results can be presented.
For both detections, the list of known-bad hash values have been updated at least three times today as more information has been revealed, and may update a few more times yet. For the second method, so far these changes have required updating the Analysis, but have not required re-executing the probe task.
Whether a detection is found, US Government customers have specific directions to follow per the DHS bulletin, or may have guidance from their own Agency (I have no insight into that, but the DHS bulletin specifically says things like disconnect the machine, not wipe it, for forensic analysis).
For private companies, you should check with your Security, Leadership, and Legal teams to determine how to proceed. Depending upon your sector there may still be Industry- or Regulatory-required steps to take.
From all accounts, the presence of an affected SolarWinds may just be one link in a much longer exploit chain, and just upgrading or rebuilding the system is probably not helpful in determining what other data was accessed or what other changes were made.
It’s a very good time to make sure your incident response plans are up to date. Contacting your local FBI Field Office or equivalent law enforcement in your country of business may be appropriate. For US customers, the following document on “What and when to report” may be helpful - https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view
I hope that the content we’ve posted to BigFix.me today has been helpful. I’ve stayed on the technical side of detection today, and I’m not yet a party on any discussions as to whether BigFix will publish official content for this outside of what we’ve uploaded to BigFix.me, so I’m afraid I have nothing to say on that (I’ve had a few people ask so I wanted to get ahead of that question).
