January 27, 2021
The recently disclosed hack of the SolarWinds log management software enabled bad actors to gain access to the protected networks of numerous government agencies and private companies. It is also impacting an untold number of IBM i shops, which use SolarWinds software in not-insignificant numbers.
In early December, Reuters broke the story of a massive and sophisticated breach of federal government computer systems that started in March 2020. According to the stories, state-backed cybercriminals exploited security flaws in at least three software vendors, including SolarWinds, Microsoft Azure, and VMware, to access private information in the target systems, and even to embed malware in product updates downloaded over the Internet.
The bad actors conducted what’s been called a “supply chain” attack, in which exploits in one system enable attackers to infiltrate other downstream systems. Specifically, security flaws in Microsoft and VMWare products allowed the attackers to access emails and other cloud-based documents stored in Office 365, which in turn enabled them to utilize federated authentication and single sign-on setups to breach more systems.
It is believed that the attackers utilized compromised Office 365 credentials to hack an FTP site used by developers to build the SolarWinds Orion software product. The attackers then utilized this access to insert malware, called Sunburst, directly into the SolarWinds Orion product updates, thereby turning the network management product into a Trojan horse. The attackers also inserted a malicious program designed to look like the SolarWinds software, called Supernova, which was intended to give the attackers a backdoor to the networks of SolarWinds’ customers.
SolarWinds issued a security advisory on December 31 in which it strongly encourages customers to update their Orion software to a new release that does not contain the malware. The company listed nearly 20 Orion components that were affected by the hack. This includes the Server & Application Monitor (SAM) component, which some organizations use to track IBM i server and network metrics via SNMP traps. The Network Performance Monitor (NPM) component of Orion, which also supports IBM i, is also impacted, SolarWinds says.
Among the 80 or so Orion components that SolarWinds says are not impacted by the hack include Security Event Manager (SEM), which is widely used to track and correlate security data and is also known to be used by IBM i shops.
The Department of Homeland Security issued an advisory calling on all organizations to disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, to block all network traffic to and from hosts, and to eliminate all accounts that are being used by the bad actors.
Only after all vulnerabilities have been removed should users update the Orion software and begin rebuilding the systems. “Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” the DHS says.
It’s unclear to what extent compromised SolarWinds software impacts IBM i shops and their IBM i systems. What is known is that SolarWinds’ software is widely used across many industries, and its Orion products are installed in, and actively used, by many IBM i shops.
According to Precisely’s 2019 security survey, SolarWinds was tied as the second-most popular Security Information and Event Management (SIEM) software among IBM i shops, behind Splunk. It’s unclear how many of these IBM i shops also use SolarWinds Orion software for server or network management, but the odds are likely that a substantial number of them have standardized on SolarWinds, which claims to have more than 300,000 customers and revenues approaching $1 billion.
HelpSystems President Jim Cassens said he expects some IBM i shops to move on from SolarWinds as a result of the hack. “I’m sure there are customer who will look at that and say, wow I don’t feel good about SolarWinds implementation and we’ll look for something else,” he says.
However, Cassens says HelpSystems won’t use the SolarWinds hack as a way to convince its customers to use HelpSystems own SIEM, which the company announced a few years ago and continues to develop and maintain.
“It always bothers me if you’re trying to take advantage of a situation like that,” he says. “Win on your merits, not necessarily the bad fortune” of a competitor.
We’re continuing to research the SolarWinds hack and will update you as new information becomes available.
Is Information Overload Hurting IBM i Security?
Security Gaining Attention On IBM i, But More Progress Needed
Hacking IBM i: Penetration Testing Gains Popularity
IBM i Data Vulnerable, Security Report Says
Three Lessons IBM i Shops Can Learn From The Equifax Hack
Can You Build Data Integrity Without Securing IBM i Systems?